Solved: Re: IOC feeds?

Sander_Zumbrink · ‎2022-03-01

Hello,

I was looking for a possiblity to use ioc feeds in the SMB gateways.
I'm running R80.20.35 and the cli has the following command:

ioc_feeds set <feed name> --resource <feed URL> --action <prevent|detect> --state <true|false>

I tried to add a feed, but i think it needs a specific syntax.
I get an error in the security logs: "Feed format problem. Bad or Empty Feed feed"
Reported by the anti-virus blade.

I was looking for documentation for the Quantum Spark SMB gateways, but didn't find any documentation.
Has anybody got any experience and knows the syntax?
Maybe like sk132193 is describing in the first CSV syntax?
I was not able to host such file yet...

Kind Regards,

Sander Zumbrink

Nir_Naaman · ‎2022-03-01

Hello Sander,

R80.20.35 follows a slightly different syntax from sk132193. (This is expected to change to align with the standard Quantum gateways in an upcoming version.)

Therefore, when using "Show Data Set URLs" on the Infinity NDR application to retrieve the feed URL, do not rely on the "COPY FULL COMMAND" option, but use "COPY URL" and paste it into the ioc_feeds set command as a resource.

Please also note that not all sk132193 indicator types are supported - refer to the Infinity NDR Intel Guide for details. In addition, the following restrictions apply:

The only feed type supported is CSV, as defined in sk132193.
IOC_feed deletion/modification does not work when the feed is in use. It may require a few attempts or changing the pull interval.
The UserCheck message (Page Blocked) is not displayed for a while after adding IOC feeds.
URL and DOMAIN indicators on the Infinity NDR portal must be added without the protocol specifier in the value field, i.e. "checkpoint.com" rather than "http://www.checkpoint.com".

The R80.20.35 syntax is as follows:

ioc_feeds [ <action> [options] ]

Action	Description
set <feed name>	Set an external feed. Options: · resource - Set the remote URL for the feed. · transport - Specify the transport protocol [http\|https]. · action - Specify the action [detect\|prevent]. · state - Specify if the feed is active [true\|false].
delete <feed name>	Deletes the feed <feed name>.
delete_all	Delete all the feeds.
show	Show configured feeds.
sched <interval>	Set periodic pull interval in seconds. · Minimum: 30 · Maximum: 400000
enable [on\|off]	Enables/disables external IOCs.

View solution in original post

Nir_Naaman · ‎2022-03-01

Hello Sander,

R80.20.35 follows a slightly different syntax from sk132193. (This is expected to change to align with the standard Quantum gateways in an upcoming version.)

Therefore, when using "Show Data Set URLs" on the Infinity NDR application to retrieve the feed URL, do not rely on the "COPY FULL COMMAND" option, but use "COPY URL" and paste it into the ioc_feeds set command as a resource.

Please also note that not all sk132193 indicator types are supported - refer to the Infinity NDR Intel Guide for details. In addition, the following restrictions apply:

The only feed type supported is CSV, as defined in sk132193.
IOC_feed deletion/modification does not work when the feed is in use. It may require a few attempts or changing the pull interval.
The UserCheck message (Page Blocked) is not displayed for a while after adding IOC feeds.
URL and DOMAIN indicators on the Infinity NDR portal must be added without the protocol specifier in the value field, i.e. "checkpoint.com" rather than "http://www.checkpoint.com".

The R80.20.35 syntax is as follows:

ioc_feeds [ <action> [options] ]

Action	Description
set <feed name>	Set an external feed. Options: · resource - Set the remote URL for the feed. · transport - Specify the transport protocol [http\|https]. · action - Specify the action [detect\|prevent]. · state - Specify if the feed is active [true\|false].
delete <feed name>	Deletes the feed <feed name>.
delete_all	Delete all the feeds.
show	Show configured feeds.
sched <interval>	Set periodic pull interval in seconds. · Minimum: 30 · Maximum: 400000
enable [on\|off]	Enables/disables external IOCs.

Sander_Zumbrink · ‎2022-03-01

Hello Nir,

The syntax of the file was the issue...
It needs the syntax as described in sk132193.
I tried to import a simple file with only IP's, but that didn't work.

Now I'm going to write a script to generate the Check Point CSV file and host that on an internal webserver.

Thnx!

Nir_Naaman · ‎2022-03-01

Yes, as noted above, the CSV file syntax must be strictly according to the sk132193 for this to work.

If you have a file with IPs, or a feed with IPs, you can easily load that into Infinity NDR Intel, and automatically republish the indicators as a sk132193-compliant data set feed. Check out the Infinity NDR Intel Guide for the indicator type restrictions that you should apply on the data set for SMB support.

Sander_Zumbrink · ‎2022-03-02

Small question...

Do you know if there are issues in the scheduling?
I've set it to 300 seconds... but last fetch was yesterday evening (accordingly to Nginx local logs where I host the files).
The firewall and the Nginx host are on the same subnet.

When I change something in the ioc_feeds settings, it does a fetch.
But not after 300 or other time settings.

Sander_Zumbrink · ‎2022-03-02

Solution found... apparently it helps to use the command "ioc_feeds enable on" for an extra time to reenable the schedule.
Now it is updating each 5 minutes. It was enabled already (also accordingly the show command).

Are you a member of CheckMates?

IOC feeds?