CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Why import Snort rules to IPS?
  • How to import Snort Signatures and configure a CloudGuard WAF practice to use them
  • How to PoC the Snort Signatures feature?
  • FAQ
  • Can you help me get started with a few signatures?
  • Can I use any available Snort Signatures?
  • How can I write my own signatures?
  • What will be the performance impact if I add many Snort signatures?
  • Is there a maximum number of Snort signatures that can be added?
  • Is there an API available?
  • Would any type of existing Snort signatures be compatible?
  • What are the known limitations?

Was this helpful?

  1. Additional Security Engines

Snort Rules

PreviousRate LimitNextSetup Custom Rules and Exceptions

Last updated 2 months ago

Was this helpful?

Snort is a commonly used format for writing IPS signatures that is very poplar in the industry.

CloudGuard WAF provides the option for an administrator to provide a set of Snort signatures and have them enforced in the same way that CloudGuard WAF enforces the regular IPS signatures update from Check Point. Enforcement of IPS and Snort signatures (if configured) happens in parallel on all HTTP/S traffic.

Why import Snort rules to IPS?

  • It allows a security administrator to write their own signatures:

    • To block specific unique traffic that they see in their network and wish to prevent it.

    • As part of the testing of the product without running actual malicious attacks inside their environments.

  • A security administrator might want to deploy rules from 3rd party sources such as National/Governmental CERTs.

How to import Snort Signatures and configure a CloudGuard WAF practice to use them

Step 1: Browse to Policy->Assets and edit the Web Application / API asset

Once the asset edit window opens, select the Web Attacks tab and scroll to the Snort Signatures sub-practice.

Step 2: Make sure the Mode of the Snort Signatures sub-practice is as desired

Setting the Mode to As Top Level means inheriting the primary mode of the practice.

Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

When making the first change to the default Web Application/API Best Practice's configuration such as uploading your unique Snort signatures file, you will be prompted to change the name of the Practice to your own custom practice name.

Step 3: Upload a Snort signature file

Press the Upload button to add a new Snort signatures file and the file selection window will appear:

  • Click the "Add File" icon to add a new file.

  • Optionally - you can click the "Download" icon to verify an existing file's content.

  • Select the file containing the SNORT signatures you wish to enforce.

  • Click OK.

Step 4: Enforce Policy

Click Enforce on the top banner of the Infinity Portal.

How to PoC the Snort Signatures feature?

Step 1: Create an example Signature file

Create a test file with a simple Snort rule. For example:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"Testing CloudGuard WAF Snort"; flow:to_server,established; http_header; content:"Testing: CloudGuard WAF Snort"; service:http; sid: 99999; rev: 1; )

Step 2: Import the signature file into your policy

Save the file and use the above instructions to enforce policy using this file

Step 3: Trigger the signature

Trigger the signature that you have just written. For example by using a curl command:

curl -H "Testing: CloudGuard WAF Snort" <your asset's URL>

Browse to Monitor -> All Events and make sure you see a log issued for this traffic

FAQ

Can you help me get started with a few signatures?

Of course, here are a couple of them:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>19; content:"/mod/lookfashon.jpg",fast_pattern,nocase; http_header; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; http_uri; content:"/jlnp.html",fast_pattern,nocase; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; http_uri; content:"/jovf.html",fast_pattern,nocase; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = ",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/vbulletin/post.php?qu=",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; http_uri; content:"/prok/"; http_header; content:"Content-Type: multipart/form-data, boundary=7DF051D",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1; )

Can I use any available Snort Signatures?

You can use version 3 Snort signatures from any source, however please be mindful of the list known limitations below. If you load a file containing unsupported signatures, then the unsupported signatures will be ignored (with warnings) but they will not stop the loading of those signatures that are valid.

How can I write my own signatures?

See our links and guide here:

What will be the performance impact if I add many Snort signatures?

Enforcing Snort signatures uses the same mechanisms as other CloudGuard WAF security apps, so just adding the Snort security app doesn't have any performance impact.

There is also the performance impact that each additional signature generates. This differs from one signature to the next, but as a rule-of-thumb Snort signatures typically have a performance rating equivalent to IPS "Medium" performance.

Is there a maximum number of Snort signatures that can be added?

In the this EA version, we support up to 1500 active signatures.

Is there an API available?

Will be published soon.

Would any type of existing Snort signatures be compatible?

Unfortunately, no. Snort version 3 has made some significant changes from previous versions. This means that Snort signatures from older versions may not work as intended.

What are the known limitations?

  1. Explicit context must be provided

  2. The following keywords are not fully supported:

    1. "flow" - only supports "to_server" (see above).

    2. Low level keywords ("flags", "ack", etc.) - not supported (see above).

    3. "file_data" - not supported.

    4. "flowbits" - not supported.

    5. "byte_test" - not supported.

    6. "dsize" - not supported.

    7. "isdataat" - not supported.

    8. "byte_jump" - not supported.

    9. "base64_data" - not supported.

    10. "base64_encode" - not supported.

    11. "detection_filter" - not supported.

Writing Snort Signatures