This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
b0neyard
Explorer
‎2023-09-21 07:59 AM
Jump to solution

Why make blocking Tor nodes so complicated?

Got the request to block Tor nodes on a R81.10 environment.

First thought was the Updatable Objects, which felt to me like a logical place. Unfortunately Tor is not there.

Found SK 103154 - https://support.checkpoint.com/results/sk/sk103154 which suggests using the Generic Data Center object, it also gives a Check Point maintained online list https://secureupdates.checkpoint.com/IP-list/TOR.txt so this felt like the solution.

But that Check Point list is a plain text list and Generic Data Center object requires JSON format.

Apparently I wasn't the first with this problem as I found this script which glues everything together: https://github.com/HGrigorov/checkpoint/blob/main/tor2json

Which is a solution but at two points I feel Check Point is missing a chance to make this so much more user friendly.

1 - Why is that Tor list not in the Updatable Objects? Seen that asked before in 2020 also.

2 - Why is that Tor list not available as a JSON file for a Generic Data Center object (specially as it is mentioned in that SK as a solution for this sitation)?

0 Kudos
2 Solutions

Accepted Solutions
CaseyB
Advisor
‎2023-09-21 11:32 AM
Jump to solution

I block TOR nodes using the external IOC feeds in R81.10.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-09 10:43 AM
In response to b0neyard
Jump to solution

The only way to use this file currently is with the Custom Intelligence Feeds options (ioc_feeds).
It cannot be used in either Generic Datacenter Objects or Network Feeds without some modification.
The sk has been updated accordingly.
We are also looking at adding it as an Updatable Object.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-09-21 09:23 AM
Jump to solution

Upgrade to R81.20 and use Network Feeds, which should be able to read/use this file as-is.

the_rock
MVP Platinum
MVP Platinum
‎2023-09-21 09:36 AM
Jump to solution

Agree with @PhoneBoy ,R81.20 is your answer.

Andy

Best,
Andy
CaseyB
Advisor
‎2023-09-21 11:32 AM
Jump to solution

I block TOR nodes using the external IOC feeds in R81.10.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-09-21 11:34 AM
In response to CaseyB
Jump to solution

Same here.

Andy

Best,
Andy
0 Kudos
b0neyard
Explorer
‎2023-09-24 11:43 AM
In response to the_rock
Jump to solution

Thanks for the quick replies all.

I dont fully agree that upgrading is easy, the external IOC feed seems interesting although in another module. might be good to add to the SK which lists all the options.

And of course Check Point could just add it to updatable objects 😉

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-09-24 11:55 AM
In response to b0neyard
Jump to solution

I have json file you can use to create generic data object, which can be then used in policy to block known bad IPs and it gets updated every 300 seconds (5 mins)

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-09 10:43 AM
In response to b0neyard
Jump to solution

The only way to use this file currently is with the Custom Intelligence Feeds options (ioc_feeds).
It cannot be used in either Generic Datacenter Objects or Network Feeds without some modification.
The sk has been updated accordingly.
We are also looking at adding it as an Updatable Object.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events