This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Ellis
Advisor
‎2022-09-28 11:15 AM
Jump to solution

Custom Intelligence Feeds to Generic Data Center Objects json file?

Hello,

We are not running Anti-Bot or Anti-Virus.  While looking at creating a Generic Data Center Object to create a blacklist drop rule, I saw detail on Custom Intelligence Feeds.  Has anyone found a cheat way to get Custom Intelligence Feeds into the json referenced in a GDCO?  I figure it will need to be a script running to update the fields.  

Has anyone tried a method like this?  Success?  Used a python script running either on the MDM or another server where the json file is?

TIA

0 Kudos
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor
‎2022-09-29 05:53 AM
Jump to solution

hey,

 

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally. 

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

 

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2022-09-29 05:27 AM
Jump to solution

Custom Intelligence Feeds are in CSV format and contain a lot more data than a Generic Datacenter object does.
Never heard of anyone converting but seems plausible to script up.

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-29 05:53 AM
Jump to solution

hey,

 

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally. 

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

 

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

George_Ellis
Advisor
‎2022-09-29 08:32 AM
In response to Sorin_Gogean
Jump to solution

Thanks.  I had the original ip_blacklist scripts and these will do nicely,  Now to figure out if I can use a GDCO in the Applications policy for URL Blacklist...  🙂

0 Kudos
Sorin_Gogean
Advisor
‎2022-09-29 08:56 AM
In response to George_Ellis
Jump to solution

Hey, 

 

Glad to be of help.

As for GDC Objects for URL BlackList, as I know you can add only IP's to GDC not URLs/FQDNs - but give it a try and let us know.

(if I understood wrongly let me know)

 

Ty,

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-03 10:56 AM
In response to Sorin_Gogean
Jump to solution

RIght, the Network Feed option in R81.20 will support URLs.
Generic Data Center Objects do not support URLs.

George_Ellis
Advisor
‎2022-10-24 06:35 AM
In response to Sorin_Gogean
Jump to solution

With the previous version, it was simple to modify the Check Point provided scripts.  Just add a source definition and an additional command.  Bash script was not an option for the code, but this was it.

#!/bin/bash

url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"
url2="https://blacklist.mycompany.com/IP-list/MyCompIP-blacklist.txt"
timeout=3600
comment="IP-blacklist"

function convert {
     while read ip; do
        if [ ${ip:0:1} != "#" ]
        then
            echo "add -a d -l r -t $timeout -c $comment quota service any source range:$ip pkt-rate 0"
        fi
     done
     echo "add -t 2 quota flush true"
}

echo "$(date): Starting" >> $FWDIR/log/IP-blacklist.log

until fw samp add -t 2 quota flush true; do
     sleep 10;
done

while true;  do
     curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch
	 curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url2 | dos2unix | convert | fw samp batch
     sleep 1200
done

   

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events