[Dshield] Failed to get URL data (code=0x8) on Checkpoint SPLAT

Johannes B. Ullrich jullrich at sans.org
Sat Feb 11 17:09:17 GMT 2006


i don't have Checkpoint, so I can't check it first hand. But the
certificate was changed recently. If I remember right, it was the same
vendor. But from what I know of Checkpoint they use a limited set of
root certificates for their SSL functions, so its possible that they
only included the very specific old certificate we used.

SSL Certificates expires every 1-2 years, so we do have to install new
certificates from time to time.

While I am on the topic of Checkpoint:

We never got the part all figured out that would allow you to send logs
to DShield with checkpoint directly. Checkpoint wrote a module for it,
but its configuration wasn't all that great (text file, which you have
to remember to update whenever you change your rules). So this part is
not working.




Manny Fernandez wrote:

>Good day,
>
>first time posting.
>
>I am trying to enable the STORMD service on Checkpoint to pull the
>blocklist.txt from the dshield https site.  The service is running but it is
>failing to download the list.  I ran a Sniifer trace and I am getting a '
>Bad Certificate ' error.  I opned a call with Checkpoint and they have been
>unhelpful.  I have done some searching and found the newgroup article listed
>below.
>
>Does anyone know if this is correct and if so how can I get the updated CA
>cert?
>
>Thanks
>
>MF
>
>
>*********** Snip ******************************
>
>DShield.org has recently changed their web site SSL certificate with a
>different CA vendor, which has invalidated the root CA certificate that is
>originally included. The solution at present is to replace the root CA
>certificate on the firewall module and update the reference in the objects
>database:
>
>1. Make a backup fo the %FWDIR%\conf\equifax.cer from the firewall module.
>Remove the file %FWDIR%\conf\equifax.cer from the firewall module.
>
>2. Copy the attached 'GTE_Root_CA.cer' to %FWDIR%\conf on the firewall
>module.
>
>3. Stop the SmartCenter Server with 'cpstop'.
>
>4. Backup and modify the %FWDIR%\conf\asm.C file and modify the following
>line:
>
>storm_center_list:DShield:certificate_filename - change 'equifax.cer' to
>'GTE_Root_CA.cer'.
>
>5. Run 'cpstart' on the SmartCenter server.
>
>6. Install the Security Policy to the gateway.
>
>7. Run 'fwstop -proc' on the firewall module and then 'fwstart'.
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>


-- 
---------      
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS 

"We use [isc.sans.org] every day to keep on top of 
 security at our bank" Matt, Network Administrator. 
       

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060211/461575cc/signature.bin


More information about the list mailing list