Snort Indicators

Snort rules can be added to Network Detection and Response (NDRClosed Network Detection and Response) Intel as indicators on the NDR portal with Load From File; with the NDR Intel API, or with an automated input feed. You can edit the rules on the portal or through the API. Only the IPSClosed Intrusion Prevention System blade is supported for Snort indicators.

When you use one type list of SNORT rules as input feed, or load a file manually with Load From File, the input file must contain a set of Snort rules, one on each line. Comment lines that start with '#' as well as empty lines, are ignored. Enter the text on each line as a separate Snort indicator value. The description is set to the imported file name. The indicator name is set to the value of the msg field in the rule.

If a rule includes CVE reference attributes, for example, "reference:cve,2014-6271", these references are copied into the "CVE" metadata attribute for the rule. This attribute correlates Snort signatures with native Check Point IPS signatures.

When an entered Snort indicator is not compatible with the Check Point supported rule syntax:

  • The indicator is automatically set to the "Disabled" state, so it is not published on any associated data set

  • The SnortConverter error message overrides the indicator's Description field on the UIClosed User Interface.

Snort Output Feeds

We recommend that you not use both Snort and other types in a single data set. A Snort-only data set is defined as:

  • Format: File

  • Content format: Values only

  • Indicators limit: 3000

  • Indicator types: SNORT (all other types should be cleared)

In this configuration, the data set's output feed is compatible with Security Gateway's "ioc_feeds" tool on some limited-release Check Point versions. You can also import it into the IPS database on a Check Point Management Servers.

In the output feed, a unique IDClosed Identifier is inserted as a suffix to the rule's msg, so it is unique and allow correlation of logs to rules if there are multiple rules with the same msg string. This unique ID is visible in logs generated by IPS signature matches.

Confidence and Severity Metadata Attributes

When they pull Snort indicator feeds from NDR Intel, Check Point Security Gateways and Management Servers currently support the "Values only" format. Meta data attributes such as confidence, severity, and performance impact are assigned on the Security Gateway to the feed, not to an individual indicator.

In addition, these feed attributes determine the action upon indicator match – based on the IPS Threat Prevention policy. Therefore the 'Detect' and 'Prevent' distinction on NDR Intel is only a convention that determines which feed URLClosed Uniform Resource Locator the indicator is published on, and the action should be aligned with the Security Gateway feed configuration. The Security Gateway ignores the NDR Intel 'Confidence' and 'Severity' in relation to Snort indicators.

To alleviate this discrepancy:

  • Hide the 'Confidence' and 'Severity' columns on NDR Intel for users that only manage Snort indicators, as they are not carried over to the Security Gateway implementation

  • On each Security Gateway, configure two feeds for each applicable data set. Assign the DETECT feed severity 3 and confidence 2. Assign the Prevent feed severity 4 and confidence 5. Define both with performance impact 1.

    These values were selected to correspond to widely used Threat Prevention profile settings to trigger the corresponding action (Detect/Prevent).