Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruan_Kotze
Advisor

Adding Threat Prevention IOC's via SmartConsole

Hi All,

I'm busy testing adding threat indicators via SmartConsole (as opposed to via ioc_feeds add).  For purposes of testing I've created a file containing just a list of IP addresses which I'm hosting on an internal web server.

I can add the feed fine via command line, it parses correctly as per below:

[Expert@cp-gw01:0]# ioc_feeds add --feed_name ip_list --transport http --resource "http://ioc.cplab.root/iocip.txt" --format [value:1,type:ip]
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed ip_list will add on

Feed Name: ip_list
Feed is Active
File will be fetched via HTTP
Resource: http://ioc.cplab.root/iocip.txt
Action: Prevent

Fetching active feeds
Existing deny list entries cleared...
1040 IPv4 addresses loaded
Note: this command is deprecated (see "fwaccel dos deny").
All deny list entries deleted
Note: this command is deprecated (see "fwaccel dos deny").
Signatures loaded successfully

Update summary
##############
feed: ip_list. Status: Succeed
##############

My problem is, if I try to do this via the R81 SmartConsole (Threat Tools - Indicators), no matter what I try it responds with "406 - Not Acceptable".  I can't find any info on how to further debug this, so any guidance would be appreciated.  This is in my lab environment, so unfortunately TAC is also out of the question.

Thanks,
Ruan

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

The format for ioc_feeds and uploading via SmartConsole is different.
More precisely, SmartConsole expects a CSV of a specific format.
This is described in the relevant documentation: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics... 

0 Kudos