Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kumar_Sambhav
Participant

Blocking IP using custom IOC feeds

Hello All,

I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.

I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script.

 

Please let me know, if there is any work-around for this issue.

23 Replies
PhoneBoy
Admin
Admin

What steps did you follow to achieve this?
I'll check on the script to see if we can fix the access permissions.
0 Kudos
Kumar_Sambhav
Participant

Thank you PhoneBoy for replying.

I followed : sk132193.

Below steps we did for configuration:

To add external feed: ioc_feeds add --feed_name blocklist --transport https --resource https://xxx.com --user_name admin_account

ioc_feeds show : Gives message that feed is active

file : $FWDIR/external_ioc/feed_name_folder/blocklist_https  : Shows the IP address fetched from external feed in format: #UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

 

While checking sk103154, it says it is known issue with firewalls behind  proxy.

 

PS: Firewall is standalone and behind proxy. Fw version is :  R80.30 - Build 484

 

0 Kudos
PhoneBoy
Admin
Admin

The permission issue with the file in sk103154 should be fixed now.
ioc_feeds should support use with a proxy, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Kumar_Sambhav
Participant

Hi PhoneBoy,

 

I was able to run script as per sk103154. However, still IP is not getting blocked.

I am trying to block a Private IP (as it is Lab environment). I am still able to ping, ssh firewall from that pvt. IP. Any insight?

PS: There is no error logs in :

$FWDIR/log/ioc_feeder.elg
$FWDIR/log/ext_ioc_push.elg

Thanks in advance.

 

Kumar_Sambhav
Participant

Small Update:

I tried Blocking it from Smart Console also, by uploading the .csv file as Indicators and still IP is not getting blocked.

Is there any limitation like Private IP cannot be blocked (though it is coming from External interface)? I have created a rule on firewall to allow SSH, Ping and 443 from the Same IP (which i am looking to block through Anti-Bot blade)

0 Kudos
PhoneBoy
Admin
Admin

The mechanism that ioc_feeds uses is Anti-Bot and Anti-Virus.
This works for blocking outbound traffic to the specified IPs from internal networks.
It won't block traffic coming FROM those IPs, however.
For that, you can use the scripts in sk103154.
0 Kudos
Ryan_Ryan
Advisor

Hi Phoneboy,

 

thanks for that info, because I had no idea IOC only worked for outbound traffic. Now I just tested it I realise you are right. 

 

As we have IOC setup with both a IP and domain list, is there a way to use sk103154 with domains aswell? I would prefer not to have two separate systems for IP and domain, I want to block incoming and outgoing traffic to my IP list, and all outgoing traffic to my domain list. (R80.20)

 

thanks

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

No, the scripts in sk103154 only work at the IP level.
With domains, we can really only block if we see the initial DNS query from the client and rewrite it with a non-malicious IP.
That is a function Antibot/Antivirus can provide.
0 Kudos
Ryan_Ryan
Advisor

okay thank you.

 

The domain blocking function of IOC waas working well for us but now its stopped blocking the domains and IPs with this error in $FWDIR/log/ioc_feeder.elg:

Feed status ip_list :: engine memory allocation error
Feed status domain_list :: engine memory allocation error

 

Interesting I see the same error on two different clusters that use the same list, I cleared the list out to a single entry in each txt file and still same issue, however if I run "ioc_feeds push" it works successfully and that single entry starts blocking.

 

Also they should really make that clear on sk132193 thats its only outgoing traffic! 

0 Kudos
PhoneBoy
Admin
Admin

Recommend opening a TAC case on the memory errors you're seeing.
0 Kudos
Tim_McColgan
Contributor

Ryan, I'm working on IOCs nowadays as well and I am experiencing the engine memory allocation error that you had in the past. Wondering if you discovered a fix for it? 

I am opening a TAC case tomorrow to tackle this. 

0 Kudos
Ryan_Ryan
Advisor

Hi, I think this should fix the memory allocation error:

 

fw ctl set int g_ci_av_sft_classification_buffer_size 16000

 

 

Tim_McColgan
Contributor

Thanks Ryan, I checked and we are already at 16000 as this looks to be the default for R80.30. Opening a TAC now. 

0 Kudos
Borut
Collaborator
Collaborator

Is the feed source using self-signed certificate? We're having the same exact issue. The feed is retrieved without problems when added, but fails on the next scheduled IOC pull with memory allocation error.

We've had a SR opened until november, did some debugs and now waiting for CP to investigate the issue. I'll update this thread if we come to the solution.
0 Kudos
Borut
Collaborator
Collaborator

As promised. Support figured out what the problem was.

The feed resides on an internal server with a certificate from our internal CA, which is not trusted by default. They added all the certificates in the certificate path to ca_bundle.pem. After that it started working without errors.

You can see if you have cert errors by running $FWDIR/bin/ioc_feeder -d -f and checking $FWDIR/log/ioc_feeder.elg. We had certificate errors like this [ERROR] curl_easy_perform() failed: Peer certificate cannot be authenticated with given CA certificates.

We also tried adding the certificates via https policy to Trusted CA's but found out, that the policy install does not add them to ca_bundle.pem. R&D is still investigationg that.

I can go into more detail on how to add the certificates if anyone needs.

I would expect that the process of adding the server public keys to the bundle would be automatic. Maybe in future versions 🙂

0 Kudos
PhoneBoy
Admin
Admin

The certificate store used for HTTPS Inspection and the ioc_feeds CLI could also be different 🤔
0 Kudos
TP_Master
Employee
Employee

It actually is a different certificate store
0 Kudos
Neville_Kuo
Advisor

Same thing happened in my lab:

[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed status blacklist-ssl :: engine memory allocation error
[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed log External IOC - External Indicators processing failed
blacklist-ssl: Failed to fetch feed. Resource: https://x.x.x.x/black_list/ip.txt, Reason: Peer certificate cannot be authenticated with given CA certificates

 

But http works well.

0 Kudos
Neville_Kuo
Advisor

Dear all,

For those are using Custom Intelligence Feeds function with self-signed https server, you should use the following command:

export EXT_IOC_NO_SSL_VALIDATION=1

Then start your https ioc feeds, I just fixed this problem, according to sk132193:

Feed's resource can be:

  • URL - HTTP/HTTPS (--transport http --resource "http://10.0.0.1/my_feeds/stix_feed.xml")
    *Self-signed certificate HTTPS resource will propmt for user agreement to update the bundle. It is possible to skip the certificate verification by running "export EXT_IOC_NO_SSL_VALIDATION=1" on the gateway.
0 Kudos
hcampuzano
Participant

Hello Borut, I know it's being a while since this  post, but I'd really appreciate if you could share with me the process for adding the certificates. Thanks!

0 Kudos
Blason_R
Leader
Leader

Its pretty simple if you could do a bit of scripting with fw samp or fwaccel dos command

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Adiel_Ashrov
Employee Alumnus
Employee Alumnus

Hey,

Are you sure it will not block incoming traffic from these IP's?
The SK doesn't mention something on the direction of the traffic.

Regards,

Adiel

0 Kudos
Neville_Kuo
Advisor

I'm afraid so, you may refer to sk103154 about how to block incoming traffic from malicious ip addresses.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events