[Dshield] Failed to get URL data (code=0x8) on Checkpoint SPLAT

Manny Fernandez fernandez.mg at gmail.com
Sun Feb 12 20:05:21 GMT 2006


Johannes,

Thank you for your prompt response.  Can you point me in the direction of
getting the updated cert?  As for the Uploading of the log files, I am
currently setting this up on 5 Gateways, so I will update the list as soon
as I try.

Thanks in advance.


MF


On 2/11/06, Johannes B. Ullrich <jullrich at sans.org> wrote:
>
> i don't have Checkpoint, so I can't check it first hand. But the
> certificate was changed recently. If I remember right, it was the same
> vendor. But from what I know of Checkpoint they use a limited set of
> root certificates for their SSL functions, so its possible that they
> only included the very specific old certificate we used.
>
> SSL Certificates expires every 1-2 years, so we do have to install new
> certificates from time to time.
>
> While I am on the topic of Checkpoint:
>
> We never got the part all figured out that would allow you to send logs
> to DShield with checkpoint directly. Checkpoint wrote a module for it,
> but its configuration wasn't all that great (text file, which you have
> to remember to update whenever you change your rules). So this part is
> not working.
>
>
>
>
> Manny Fernandez wrote:
>
> >Good day,
> >
> >first time posting.
> >
> >I am trying to enable the STORMD service on Checkpoint to pull the
> >blocklist.txt from the dshield https site.  The service is running but it
> is
> >failing to download the list.  I ran a Sniifer trace and I am getting a '
> >Bad Certificate ' error.  I opned a call with Checkpoint and they have
> been
> >unhelpful.  I have done some searching and found the newgroup article
> listed
> >below.
> >
> >Does anyone know if this is correct and if so how can I get the updated
> CA
> >cert?
> >
> >Thanks
> >
> >MF
> >
> >
> >*********** Snip ******************************
> >
> >DShield.org has recently changed their web site SSL certificate with a
> >different CA vendor, which has invalidated the root CA certificate that
> is
> >originally included. The solution at present is to replace the root CA
> >certificate on the firewall module and update the reference in the
> objects
> >database:
> >
> >1. Make a backup fo the %FWDIR%\conf\equifax.cer from the firewall
> module.
> >Remove the file %FWDIR%\conf\equifax.cer from the firewall module.
> >
> >2. Copy the attached 'GTE_Root_CA.cer' to %FWDIR%\conf on the firewall
> >module.
> >
> >3. Stop the SmartCenter Server with 'cpstop'.
> >
> >4. Backup and modify the %FWDIR%\conf\asm.C file and modify the following
> >line:
> >
> >storm_center_list:DShield:certificate_filename - change 'equifax.cer' to
> >'GTE_Root_CA.cer'.
> >
> >5. Run 'cpstart' on the SmartCenter server.
> >
> >6. Install the Security Policy to the gateway.
> >
> >7. Run 'fwstop -proc' on the firewall module and then 'fwstart'.
> >_________________________________________
> >Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> >https://www.sans.org/athome/details.php?id=1341&d=1
> >
> >_______________________________________________
> >send all posts to list at lists.dshield.org
> >To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
>
>
> --
> ---------
> Johannes Ullrich                        jullrich at sans.org
> Chief Research Officer                     (617) 639 5000
> http://isc.sans.org
> PGP Key: https://secure.dshield.org/PGPKEYS
>
> "We use [isc.sans.org] every day to keep on top of
> security at our bank" Matt, Network Administrator.
>
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
>


More information about the list mailing list