Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

IOC feeds

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

40 Replies
the_rock
Legend
Legend

Apologies, forgot to add 2 files I also used. This gives good example of what CSV file would look like.

0 Kudos
CaseyB
Advisor

Thank you for sharing! I have been looking for more of these to add to our current roster. 

0 Kudos
the_rock
Legend
Legend

Very welcome, happy to help. Unlike Ed Sheeran's song "Perfect", this is far from it, but its something lol

Best,

Andy

0 Kudos
the_rock
Legend
Legend

I will keep updating as I find more

Andy

 

Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed

0 Kudos
the_rock
Legend
Legend

I know this is Fortinet, but it has 107 entries

Andy

 

Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed

 

0 Kudos
the_rock
Legend
Legend

0 Kudos
the_rock
Legend
Legend

The BEST I found so far, almost 4000 entries.

Andy

https://www.cisco.com/c/en/us/products/security/ngips/index.html

0 Kudos
the_rock
Legend
Legend

Most UPDATED I have so far. But, will keep adding whatever else I find.

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: cisco
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisco.com/c/en/us/products/security/ngips/index.html
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cortex
Feed is Active
File will be fetched via HTTPS
Resource: https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ioc
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: microsoft
Feed is Active
File will be fetched via HTTPS
Resource: https://www.microsoft.com/en-ca/security/business/siem-and-xdr/microsoft-defender-threat-intelligenc...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: fortiguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.fortiguard.com/services/ioc
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipq
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipqualityscore.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 26
Active feeds: 26
[Expert@azurefw:0]#

0 Kudos
the_rock
Legend
Legend

Forgot to mention the most important one...duh : - )

Andy

secureupdates.checkpoint.com/IP-list/TOR.txt

 

Screenshot_1.png

 

0 Kudos
delToro1
Contributor

Hello mates, I usually use the following open source project:

https://github.com/stamparm/ipsum 

It sumarice malicious IP between different lists. It create lists based on the ocurrence of the IP and categorice en levels.

I have configured this IOC in my lab and it's working fine. The level 3 list has over 17K malicious IPs. From R81.20, the way of using network feeds in the access control policy, for me it is more granular.

 

 

testing network feedtesting network feedPolicy access rulebasePolicy access rulebaseblock event Network feedblock event Network feedUpdate Event Network feedUpdate Event Network feed

Best regards! 😉

 

(1)
the_rock
Legend
Legend

Wow, nice one! Let me test it in the lab later and report back.

Andy

0 Kudos
the_rock
Legend
Legend

Just installed policy, so let me give it some time to see if there any hits. Though its just a lab, but it is in Azure, so Im sure it will get some traffic : - )

Andy

0 Kudos
the_rock
Legend
Legend

Btw, I see the same link but level 2 has almost 35K IP addresses, that is fantastic, thanks for sharing!

Andy

0 Kudos
delToro1
Contributor

No problem ;). I detect that lvl 1 has some false positives, IP addresses from onedrive or sharepoint service that are legit. For me, the lvl 3 is OK, because  the IP must appear at least in 3 lists.

 

@the_rock , of course, thanks for sharing a lot of materials and resources for IOC. 🙂

the_rock
Legend
Legend

well thank you!!

Andy

0 Kudos
CaseyB
Advisor

The IPsum (lvl3) seems to be the most effective so far. We've dropped over 750 connections since I added it this morning. No one internally has tried to reach out though, so that's good.

The Emerging Threats one also has had a good amount of hits.

0 Kudos
the_rock
Legend
Legend

Agree, same here!

0 Kudos
the_rock
Legend
Legend

I see that when using network feeds, you dont technically need to have av or ab blades enabled, so thats definitely a plus right there and works beautifully.

Andy

0 Kudos
mrflow1
Explorer

@delToro1 @the_rock @CaseyB

What could be the impact of this level 3 feed at the resource level?

Is this feed injected like the iocs_feeds directly into the antivirus blade or do locally loaded iocs work better in terms of performance?

We have a cluster that has suffered a lot from CPU issues so I would be concerned that it will affect us even more.


 

0 Kudos
PhoneBoy
Admin
Admin

If you're using R81.20 or above, the performance of ioc_feeds will be better since it uses the same infrastructure as Network Feeds, which is designed to handle at least 2 million IoCs.

0 Kudos
the_rock
Legend
Legend

In R81.20, I had not noticed any issues at all.

Andy

0 Kudos
CaseyB
Advisor

I haven't noticed any performance impact on with our production cluster.

majkel
Contributor

This one doesnt work with IOC_Feed object. I can see that the list is fetched but not applied and generates a error in HCP saying it cant be reach but thats not true since the list is fetched and stored in ioc path on the gws.

best rgs, mike
Dan_Moesch
Contributor

Yes, it does not work with IOC Feed, I had to create a network feed object and create just as @delToro1  listed.   My question now is becoming should I be using this approach (network feed in policy) versus IOC Feed in the Threat Prevention policy.  Has anyone tested either approach to see what the pros and cons are?  

0 Kudos
majkel
Contributor

IOC feed is only for incoming traffic.
If you use network feed you can add to both incoming and outgoing. In my opinion more usefull.

I have had network object feed running for a while and its generating a lot hits. Qwerks about the lists is that you need to monitor them in order to verify if they are active or not. Atleast the lists i have configured.

HCP will tell if there is an issue with both network and IOC feed.

best rgs, mike
Dan_Moesch
Contributor

That makes sense, any tips on how you are monitoring is greatly appreciated!

0 Kudos
majkel
Contributor

The only thing for now is to check HCP in smartconsole for the relevant GWs.
I saw that with r81.20 JHF 89 added alerts for Identity Sharing. Maybe this will be a future feature for services like this.

best rgs, mike
Tal_Paz-Fridman
Employee
Employee

BTW you can run individual HCP tests directly on the machine

hcp -l to list all available test

hcp -r <test name>

So for IoC it would be:

hcp -r "IoC Feeds Database"

 

New HCP takes are available here:

https://support.checkpoint.com/results/sk/sk171436 

majkel
Contributor

Thats cool. Thanks.

Do we need to manually install new HCP takes ? 

best rgs, mike
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events