CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of R80.10.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 3 of 3

Thread: Why SnortConverter is failing or unable to generate simple rule like this?

  1. #1
    Join Date
    2012-06-13
    Posts
    274
    Rep Power
    5

    Default Why SnortConverter is failing or unable to generate simple rule like this?

    Hi Guys,

    Is anyone SnortCoverter expert here? I am trying to export a Snort rules using SnortConverter, couple of other rules are getting exported correctly but not sure what is this cribbing about?

    This is failing
    alert udp any any -> 104.199.121.36 any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 2";)

    0/1 rules were successfully converted, total of 0 IPS protections were found.
    For more details please see $FWDIR/log/SnortConvertor.elg file.
    The configuration is up to date, therefore no changes were made.

    ##################

    And this is successful

    [Expert@GPMGMT:0]# SnortConvertor update -f test2.rules
    1/1 rules were successfully converted, total of 1 IPS protections were found.
    1/1 IPS protections were updated
    Updating database...

    alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)

  2. #2
    Join Date
    2012-06-13
    Posts
    274
    Rep Power
    5

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    Well I feel it doesn't like IP address mentioned in the signature..Any idea how to override that?

  3. #3
    Join Date
    2012-06-13
    Posts
    274
    Rep Power
    5

    Default Re: Why SnortConverter is failing or unable to generate simple rule like this?

    OK - I figured it out the issue and able to import the rule :)

    CP does not like the Snort rule without content keyword, I added that it got imported perfectly!

Similar Threads

  1. Unable to fetch Suspicious Activity Rule
    By cp-eng in forum SmartView Monitor
    Replies: 0
    Last Post: 2012-09-26, 10:18
  2. Firewall log can't generate
    By akyawmaung in forum SmartView Monitor
    Replies: 1
    Last Post: 2008-12-23, 23:02
  3. Unable to generate Express reports
    By Infospark in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 3
    Last Post: 2008-11-03, 12:00
  4. Generate CA certificate problem
    By Brian Kwok in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2006-11-21, 02:22
  5. Checkpoint logging causes EventiaReporter unable to generate report
    By fazrul in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 0
    Last Post: 2006-10-01, 01:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •