CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: fw samp blocking Reconn attacks - How to?

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    9

    Default fw samp blocking Reconn attacks - How to?

    Hi there,

    I have this idea about using fw samp on the fly and not sure if anyone has already used this before or may have script ready? Well I am thinking of Honeypot in my network which will observe for malicious activity by threat actors [or block reconnaissance]. So, if someone tries to connect to HP system and crosses threshold lets say 5 attempts that IP address will be automatically added in block list using fw samp command for 30 mins.

    I guess I dont see challenge of extracting IP address but I see challenge about adding IP address/adding samp rule on CP on the fly. I guess R80.10 this can be achieved with API [but not sure though] wondering what are the chances of R77.30? Though ssh-key with empty password?

    Or any other method probably you guys are aware of?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: fw samp blocking Reconn attacks - How to?

    fw samp rules are meant to be changed on the fly.
    Whether you do that with ssh, cprid, or the R80.x API is a matter of personal preference.
    In R80.10, you might also try using dynamic objects, since those can also be modified on the fly and don't have the SecureXL hit.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    9

    Default Re: fw samp blocking Reconn attacks - How to?

    Quote Originally Posted by PhoneBoy View Post
    fw samp rules are meant to be changed on the fly.
    Whether you do that with ssh, cprid, or the R80.x API is a matter of personal preference.
    In R80.10, you might also try using dynamic objects, since those can also be modified on the fly and don't have the SecureXL hit.
    Correct that is the main intention of using fw samp rule. I have not tested Dynamic_object on R80 though let me have a look at it.

    BTW is there any limit for fw samp rules?

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: fw samp blocking Reconn attacks - How to?

    There isn't a specific limit that I am aware of.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: fw samp blocking Reconn attacks - How to?

    Perhaps something like this:

    https://supportcenter.checkpoint.com...tionid=sk74520

    Or something dynamic:

    https://cpdbl.net/

Similar Threads

  1. fw samp in Bridge mode not working
    By blason in forum R77.30
    Replies: 13
    Last Post: 2018-02-16, 18:50
  2. DShield through fw samp batch script
    By aweldon in forum Scripts and Tools
    Replies: 1
    Last Post: 2016-04-30, 10:52
  3. Report on Checkpoint attacks
    By oharek in forum Beginner
    Replies: 4
    Last Post: 2014-11-07, 10:04
  4. Report of critical Attacks
    By crosspopz in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 4
    Last Post: 2014-03-12, 04:46
  5. Error-signature X must contain inspect handler (used in 2 dynamic attacks)
    By _MKrol_ in forum IPS Blade (Formerly SmartDefense)
    Replies: 0
    Last Post: 2011-03-23, 14:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •