Custom IOC Feed Validations - CSV (R81.10 verse ...

Scottc98 · ‎2024-07-22

Does anyone know if there is any difference between validating the IOC feed entries between R81.10 and R81.20?

On our R81.10 locations, we would cat the following files and it would output all of the observables.

Name of example feed "Test_Block_IP"

cat /opt/CPsuite-R81.10/fw1/external_ioc/Test_Block_IP/Test_Block_IP_https_custom.csv

In R81.20, the same csv file is present but blank. (Only change being the "CPsuite-R81.20" directory).

cat /opt/CPsuite-R81.20/fw1/external_ioc/Test_Block_IP/Test_Block_IP_https_custom.csv

In both cases, the Smartconsole logs show success with "External IOC - Fetch succeeded" messages.

What is the user experience for R81.20 users? Are yours blank or there are just another location to see these now?

Thanks in advance:)

Lesley · ‎2024-07-22

Anything in here?

$FWDIR/log/ioc_feeder.elg search for failed or ERROR

Did you try to remove the feed and create it again? You added it via SmartConsole or CLI?

-------
If you like this post please give a thumbs up(kudo)! 🙂

Scottc98 · ‎2024-07-23

Feed was added in via Smartconsole and same feeds since install of firewalls (I.e the ones we have on R81.20 were all net new installs; combo of cloudguard and cluster HW sites.
For my feed, its fetched from an internal web server from a txt file that is shared by various sources. Therefore our parameters for the Feed Parsing:
- Format: Custom CSV
- Data Type: IP Address
- Data Column: 1
- Delimiter: Space
- Ignore lines with prefix: Hash (#)
- Type Column: 0
- Nothing under additional columns; All zeros

Also note we have a domain based one with these settings:

Format: Custom CSV
Data Type: Domain
Data Column: 1
Delimiter: Space
Ignore lines with prefix: Hash (#)
Type Column: 0
Nothing under additional columns; All zeros

So in this case @the_rock , I think your example and mine are different due to the use of the custom CSV verses STIX.

the_rock · ‎2024-07-23

Totally ommited that...Homer Simpson moment...DOH lol

Anyway, I see what you mean @Scottc98

Below is what I see now.

Andy

[Expert@CP-GW:0]# ls
emerging_threats.is_slow_path emerging_threats_https_custom.csv
emerging_threats_https emerging_threats_https_custom.csv.err
emerging_threats_https.old emerging_threats_https_version
[Expert@CP-GW:0]# more emerging_threats_https_custom.csv
[Expert@CP-GW:0]# pwd
/opt/CPsuite-R81.20/fw1/external_ioc/emerging_threats
[Expert@CP-GW:0]#

Scottc98 · ‎2024-07-23

Thanks @the_rock So that looks like an issue with R81.20 then in regards to validations. You can 'cat' the CSV in R81.10 to view the entries but can't in R81.20 (for note, I have tried on gWs running Take 41, T53 and T65 with same results).

Is this a bug here Checkpoint or is there something new process to get this data?

the_rock · ‎2024-07-23

Not sure, maybe. Device I ran it on is R81.20 jumbo 76 (newest one, not even a week old)

Andy

[Expert@CP-GW:0]# cat /opt/CPsuite-R81.20/fw1/external_ioc/emerging_threats/emerging_threats_https_custom.csv
[Expert@CP-GW:0]#

the_rock · ‎2024-07-22

Will test it in the lab Tuesday and let you know.

Andy

the_rock · ‎2024-07-22

With the file, I get the same. If I use actual feed, this is what I see.

Andy

[Expert@CP-GW:0]# pwd
/opt/CPsuite-R81.20/fw1/external_ioc/emerging_threats
[Expert@CP-GW:0]# ls
emerging_threats.is_slow_path emerging_threats_https.err
emerging_threats_https emerging_threats_https_version
[Expert@CP-GW:0]#

Are you a member of CheckMates?

Custom IOC Feed Validations - CSV (R81.10 verse R8.120)