Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruan_Kotze
Advisor

Adding Threat Prevention IOC's via SmartConsole

Hi All,

I'm busy testing adding threat indicators via SmartConsole (as opposed to via ioc_feeds add).  For purposes of testing I've created a file containing just a list of IP addresses which I'm hosting on an internal web server.

I can add the feed fine via command line, it parses correctly as per below:

[Expert@cp-gw01:0]# ioc_feeds add --feed_name ip_list --transport http --resource "http://ioc.cplab.root/iocip.txt" --format [value:1,type:ip]
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed ip_list will add on

Feed Name: ip_list
Feed is Active
File will be fetched via HTTP
Resource: http://ioc.cplab.root/iocip.txt
Action: Prevent

Fetching active feeds
Existing deny list entries cleared...
1040 IPv4 addresses loaded
Note: this command is deprecated (see "fwaccel dos deny").
All deny list entries deleted
Note: this command is deprecated (see "fwaccel dos deny").
Signatures loaded successfully

Update summary
##############
feed: ip_list. Status: Succeed
##############

My problem is, if I try to do this via the R81 SmartConsole (Threat Tools - Indicators), no matter what I try it responds with "406 - Not Acceptable".  I can't find any info on how to further debug this, so any guidance would be appreciated.  This is in my lab environment, so unfortunately TAC is also out of the question.

Thanks,
Ruan

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

The format for ioc_feeds and uploading via SmartConsole is different.
More precisely, SmartConsole expects a CSV of a specific format.
This is described in the relevant documentation: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics... 

0 Kudos
Nir_Shamir
Employee Employee
Employee

Hi,

I had the same issue with R81 and R81.10 Management Servers.

The issue is Cosmetic / Compatibility issue between the SmartConsole and IIS WEB Server.

If you ignore the error , publish and install to policy the Gateway gets the new external IOC Configuration and the IOC works as it should.

0 Kudos
Mstay
Participant

Hi,

I am running R81.10  in the SMS.

 

2.png

3.png

1.png

   

URLS used for feed (or https). http://secureupdates.checkpoint.com/IP-list/TOR.txt 

Custom feed settings

 Value 1 and type IP Address

Enabled Blades: Full Threat Prevention

curl_cli -v http://secureupdates.checkpoint.com/IP-list/TOR.txt  for SMS, GW Successfully 

I am able to download properly the txt from the PC running Smart Console

Checked all the suggestions made in

https://community.checkpoint.com/t5/Management/How-to-block-traffic-coming-from-known-malicious-IP-a...

I am not able to see the state of the Fetchs by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

Do i missing something?

Regards

0 Kudos
Nir_Shamir
Employee Employee
Employee

check "feed" in the logs. make sure you have enabled the indicators usage in the TP profile.

also you can check in the GW if it got the feeds under /opt/CPsuite-R81.10/fw1/external_ioc/<your feed name>

0 Kudos
Mikael
Employee Employee
Employee

On the gateway, check "ioc_feeds show" to see the state and how the IOC-feeds are configured.

As @Nir_Shamir wrote, $FWDIR/external_ioc/ should contain a folder for each feed with the downloaded content...

Looking at the timestamp of the files in the folder and the MD5 in the _version file should tell you when the content was last loaded...

 

Cheers

(1)
Mstay
Participant

Team

I will make a brief summary about this issue and the results of the case with the TAC.

 

Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not.  We had 4 different environments with SMS in R81.10 and GWS R80.40

It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs

From SK this part is confuse

Installation

The feature is integrated in version R80.30 and above.

Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.

We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.

We also realized in all the environment we tested this file could not be found when you troubleshoot

$FWDIR/log/ext_ioc_push.elg

I think with all the tests we made,  there is a lot of information from the case we had to edit the SK and help the community.

Cheers

 

0 Kudos
r1der
Advisor

Thanks, that command was useful to find out what the feeds see.

Question for anyone - is the "Observables" tab supposed to be empty when using an external IOC (txt file)?
Using a CSV (Manual updated) I was able to see each entry but I am trying to automate this, so the feeds pull automatically without updating the local CSV I had made.
I added the custom settings, and it seems to be pulling feeds based on the results of "$FWDIR/external_ioc/*feed_name*.

0 Kudos
leonarit
Contributor

I have the same question about the Observables tab, I've a working IOC feed config but the Observables tab is empty, @r1der were you able to get an answer about the Observables tab?

0 Kudos
Nir_Shamir
Employee Employee
Employee

you won't see the observables on that tab when you have an automatic IOC configured.

they can only be seen on the GW's under FWDIR/external_ioc/feed_name_folder 

r1der
Advisor

It is not visible in SmartConsole. @Nir_Shamir posted the location on accessing it via ssh.

Optionally, you can view it by WinSCP and open the text files. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events