This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Gold
MVP Gold
‎2024-04-12 01:08 PM

IOC feeds

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

49 Replies
the_rock
MVP Gold
MVP Gold
‎2024-09-10 03:10 PM
In response to mrflow1

In R81.20, I had not noticed any issues at all.

Andy

0 Kudos
CaseyB
Advisor
‎2024-09-11 01:14 PM
In response to mrflow1

I haven't noticed any performance impact on with our production cluster.

majkel
Contributor
‎2024-10-25 12:38 AM
In response to delToro1

This one doesnt work with IOC_Feed object. I can see that the list is fetched but not applied and generates a error in HCP saying it cant be reach but thats not true since the list is fetched and stored in ioc path on the gws.

best rgs, mike
Dan_Moesch
Contributor
‎2024-12-10 11:25 AM
In response to majkel

Yes, it does not work with IOC Feed, I had to create a network feed object and create just as @delToro1  listed.   My question now is becoming should I be using this approach (network feed in policy) versus IOC Feed in the Threat Prevention policy.  Has anyone tested either approach to see what the pros and cons are?  

0 Kudos
majkel
Contributor
‎2024-12-10 11:13 PM
In response to Dan_Moesch

IOC feed is only for incoming traffic.
If you use network feed you can add to both incoming and outgoing. In my opinion more usefull.

I have had network object feed running for a while and its generating a lot hits. Qwerks about the lists is that you need to monitor them in order to verify if they are active or not. Atleast the lists i have configured.

HCP will tell if there is an issue with both network and IOC feed.

best rgs, mike
Dan_Moesch
Contributor
‎2024-12-11 07:34 AM
In response to majkel

That makes sense, any tips on how you are monitoring is greatly appreciated!

0 Kudos
majkel
Contributor
‎2024-12-12 12:31 AM
In response to Dan_Moesch

The only thing for now is to check HCP in smartconsole for the relevant GWs.
I saw that with r81.20 JHF 89 added alerts for Identity Sharing. Maybe this will be a future feature for services like this.

best rgs, mike
Tal_Paz-Fridman
Employee
Employee
‎2024-12-12 01:01 AM
In response to majkel

BTW you can run individual HCP tests directly on the machine

hcp -l to list all available test

hcp -r <test name>

So for IoC it would be:

hcp -r "IoC Feeds Database"

 

New HCP takes are available here:

https://support.checkpoint.com/results/sk/sk171436 

majkel
Contributor
‎2024-12-12 01:15 AM
In response to Tal_Paz-Fridman

Thats cool. Thanks.

Do we need to manually install new HCP takes ? 

best rgs, mike
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2024-12-12 03:15 AM
In response to majkel

Yes, it is updated automatically (like other updateable packages).

Obviously if the machine does not have connectivity to the Internet you will have to install it manually.

0 Kudos
Dan_Moesch
Contributor
‎2024-12-20 07:38 AM
In response to Tal_Paz-Fridman

Does hcp -r "IoC Feeds Database" also check the Network Feeds?   

This is my output, it doesn't seem to indicate anything for Network Feeds....

 

hcp -r "IoC Feeds Database"
Test name Status
============================================================
IoC Feeds Database................................[PASSED]

To view full report on this machine, run "hcp --show-last"

Test name Status Runtime (sec)
==========================================================================
IoC Feeds Database................................[PASSED] 0.00024


+------------------------------------------------------------------------------------------------------------------------------------+
| Results |
+====================================================================================================================================+
| Anti-Virus/Threat Prevention/IoC Feeds Database |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: SUCCESS |
| |
| Description: This test checks if the Security Gateway parsed all configured IoC feeds |
| |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-20 08:08 AM
In response to Dan_Moesch

Interesting...mine shows below, though I tried both formats, but when I test feeds, all is gree.

Andy

|
| Feed: Cisa |
| Error: Failed to parse the feed: Cisa |
| Make sure the feed format is correct. See sk132193. |
| Feed update status - error. |
| Feed: Talos-feed |
| Error: The feed resource https://www.talosintelligence.com/ is not available. Make sure the Security Gateway can connect to it. |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------+

[Expert@CP-GW:0]#

0 Kudos
Dan_Moesch
Contributor
‎2024-12-20 08:11 AM
In response to the_rock

Yes, I get errors if there are issues with IOC Feeds....however I don't see anything for network feeds (good or bad!)

 

 

the_rock
MVP Gold
MVP Gold
‎2024-12-20 08:24 AM
In response to Dan_Moesch

See, for 2 IOCs I configured, no errors when I test them, its green, just error when running the command.

Andy

0 Kudos
Dan_Moesch
Contributor
‎2024-12-20 08:29 AM
In response to the_rock

Yep, I noticed the same thing, which is why I am pivoting away from IOC and going the network feed route. 

#1 its easy to track when an IP is blocked from a feed (can easily create alert rules for this)

#2 you can use a network feed with an egress rule and alert on it (home grown anti bot?)

Just seems to be much more visibility into what is going on with Network Feeds  vs IOC feeds, and then the countless errors I found when adding IOC feeds (yet they were green when I added them!)

the_rock
MVP Gold
MVP Gold
‎2024-12-20 08:32 AM
In response to Dan_Moesch

Im with you there, agree 100%.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-11 07:36 AM
In response to majkel

I agree 100%.

Andy

0 Kudos
Teddy_Brewski
Advisor
‎2024-12-16 01:07 AM

Thank you @the_rock

According to sk103154 VSX gateways are not supported. Anyone tried it with VSX?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-16 04:35 AM
In response to Teddy_Brewski

I believe someone confirmed it in a different post as well, thats true.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-16 04:36 AM
In response to Teddy_Brewski

Though, you can use network feeds with VSX, since thats strictly in rulebase.

Andy

Check out post I made below about it, see if it helps.

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events