This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-04-12 01:08 PM

IOC feeds

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

23 Replies
the_rock
Legend
Legend
‎2024-04-12 01:12 PM

Apologies, forgot to add 2 files I also used. This gives good example of what CSV file would look like.

Preview file
1 KB
Preview file
1 KB
0 Kudos
CaseyB
Advisor
‎2024-04-12 01:36 PM

Thank you for sharing! I have been looking for more of these to add to our current roster. 

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 01:50 PM
In response to CaseyB

Very welcome, happy to help. Unlike Ed Sheeran's song "Perfect", this is far from it, but its something lol

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 02:03 PM

I will keep updating as I find more

Andy

 

Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 02:08 PM

I know this is Fortinet, but it has 107 entries

Andy

 

Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed

 

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 02:10 PM

Microsoft, 269 entries, pretty good

Andy

 

https://www.microsoft.com/en-ca/security/business/siem-and-xdr/microsoft-defender-threat-intelligenc...

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 02:19 PM

The BEST I found so far, almost 4000 entries.

Andy

https://www.cisco.com/c/en/us/products/security/ngips/index.html

0 Kudos
the_rock
Legend
Legend
‎2024-04-12 02:22 PM

Most UPDATED I have so far. But, will keep adding whatever else I find.

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: cisco
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisco.com/c/en/us/products/security/ngips/index.html
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cortex
Feed is Active
File will be fetched via HTTPS
Resource: https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: microsoft
Feed is Active
File will be fetched via HTTPS
Resource: https://www.microsoft.com/en-ca/security/business/siem-and-xdr/microsoft-defender-threat-intelligenc...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 26
Active feeds: 26
[Expert@azurefw:0]#

0 Kudos
the_rock
Legend
Legend
‎2024-04-22 10:18 AM

Forgot to mention the most important one...duh : - )

Andy

secureupdates.checkpoint.com/IP-list/TOR.txt

 

Screenshot_1.png

 

0 Kudos
delToro1
Contributor
‎2024-04-23 01:03 AM

Hello mates, I usually use the following open source project:

https://github.com/stamparm/ipsum 

It sumarice malicious IP between different lists. It create lists based on the ocurrence of the IP and categorice en levels.

I have configured this IOC in my lab and it's working fine. The level 3 list has over 17K malicious IPs. From R81.20, the way of using network feeds in the access control policy, for me it is more granular.

 

 

testing network feedtesting network feedPolicy access rulebasePolicy access rulebaseblock event Network feedblock event Network feedUpdate Event Network feedUpdate Event Network feed

Best regards! 😉

 

(1)
the_rock
Legend
Legend
‎2024-04-23 04:08 AM
In response to delToro1

Wow, nice one! Let me test it in the lab later and report back.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 05:19 AM
In response to delToro1

Just installed policy, so let me give it some time to see if there any hits. Though its just a lab, but it is in Azure, so Im sure it will get some traffic : - )

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 05:25 AM
In response to delToro1

Btw, I see the same link but level 2 has almost 35K IP addresses, that is fantastic, thanks for sharing!

Andy

0 Kudos
delToro1
Contributor
‎2024-04-23 07:06 AM
In response to the_rock

No problem ;). I detect that lvl 1 has some false positives, IP addresses from onedrive or sharepoint service that are legit. For me, the lvl 3 is OK, because  the IP must appear at least in 3 lists.

 

@the_rock , of course, thanks for sharing a lot of materials and resources for IOC. 🙂

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 07:15 AM
In response to delToro1

well thank you!!

Andy

0 Kudos
CaseyB
Advisor
‎2024-04-23 07:26 AM
In response to delToro1

The IPsum (lvl3) seems to be the most effective so far. We've dropped over 750 connections since I added it this morning. No one internally has tried to reach out though, so that's good.

The Emerging Threats one also has had a good amount of hits.

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 11:02 AM
In response to CaseyB

Agree, same here!

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 11:13 AM
In response to CaseyB

I see that when using network feeds, you dont technically need to have av or ab blades enabled, so thats definitely a plus right there and works beautifully.

Andy

0 Kudos
mrflow1
Explorer
‎2024-09-10 12:33 PM
In response to delToro1

@delToro1 @the_rock @CaseyB

What could be the impact of this level 3 feed at the resource level?

Is this feed injected like the iocs_feeds directly into the antivirus blade or do locally loaded iocs work better in terms of performance?

We have a cluster that has suffered a lot from CPU issues so I would be concerned that it will affect us even more.


 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-10 01:15 PM
In response to mrflow1

If you're using R81.20 or above, the performance of ioc_feeds will be better since it uses the same infrastructure as Network Feeds, which is designed to handle at least 2 million IoCs.

0 Kudos
the_rock
Legend
Legend
‎2024-09-10 03:10 PM
In response to mrflow1

In R81.20, I had not noticed any issues at all.

Andy

0 Kudos
CaseyB
Advisor
‎2024-09-11 01:14 PM
In response to mrflow1

I haven't noticed any performance impact on with our production cluster.

0 Kudos
majkel
Explorer
Friday
In response to delToro1

This one doesnt work with IOC_Feed object. I can see that the list is fetched but not applied and generates a error in HCP saying it cant be reach but thats not true since the list is fetched and stored in ioc path on the gws.

best rgs, mike
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events