Dear Mates,
R81.10 Take 87
1. Since Custom Intelligence Feeds via SmartConsole allows only "IP Address" or "IP Range" types, is it possible to apply Spamhaus DROP list which is in CIDR format? In ioc_feeder.elg I get: "Feed format problem. Feed format not supported" - for both IP types.
2. TOR_Exit_Nodes (https://secureupdates.checkpoint.com/IP-list/TOR.txt)
When I "Test Connectivity" it is OK, but in ioc_feeder.elg I get: "Feed format problem. Empty feed file".
Any ideas?
Regards
M.
Thank You PhoneBoy.
1. In sk132193 there is following CLI example for Spamhaus and CIDR format:
Original CSV structure is a list of IP addresses in CIDR format and comment lines are marked as ';'
ioc_feeds add --feed_name ip_cidr_list_with_delimiter --transport https --resource "https://www.spamhaus.org/drop/edrop.txt" --format [value:1,type:ip] --delimiter ";" --comment ";"
When I test it in gateway CLI (I added only "--test true" option to original example) I get following error:
[Expert@gw1:0]# export EXT_IOC_NO_SSL_VALIDATION=1
[Expert@gw1:0]# ioc_feeds add --feed_name ip_cidr_list_with_delimiter --transport https --resource "https://www.spamhaus.org/drop/edrop.txt" --format [value:1,type:ip] --delimiter ";" --comment ";" --test true
Modifying feed ip_cidr_list_with_delimiter
start add
Feed ip_cidr_list_with_delimiter will add on
Feed Name: ip_cidr_list_with_delimiter
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/drop/edrop.txt
Action: Prevent
Feed is cli managed
Feed type: custom_csv
Fetching active feeds
Something went wrong
Something went wrong
Signatures load failed
The same error when I try to test it with http transport and even in case of local file downloaded by curl_cli - still doesn't work.
2. There is last point in Known Limitations section of sk132193: "Before 81.20, there is limit of number of observables , See sk171988."
Maybe I have exceeded the limit, but where can I find sk171988? I wonder if there is any mechanism to check and eliminate duplicated IOCs (IPs for example) by few external (and maybe overlapping) feeds?
3. I have also noticed differences in notation in sk132193
--format [value:#1 orvalue:1
and
--comment [#] or --comment "#"
It seems both forms are equal?
sk132193 was last modified on 2023-02-07 and seems ... not so actual?
| User | Count |
|---|---|
| 27 | |
| 20 | |
| 11 | |
| 10 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
