Re: IOC feeds - Page 2

the_rock · ‎2024-04-12

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

Best,
Andy

the_rock · ‎2024-09-10

In R81.20, I had not noticed any issues at all.

Andy

Best,
Andy

CaseyB · ‎2024-09-11

I haven't noticed any performance impact on with our production cluster.

majkel · ‎2024-10-25

This one doesnt work with IOC_Feed object. I can see that the list is fetched but not applied and generates a error in HCP saying it cant be reach but thats not true since the list is fetched and stored in ioc path on the gws.

best rgs, mike

Dan_Moesch · ‎2024-12-10

Yes, it does not work with IOC Feed, I had to create a network feed object and create just as @delToro1 listed. My question now is becoming should I be using this approach (network feed in policy) versus IOC Feed in the Threat Prevention policy. Has anyone tested either approach to see what the pros and cons are?

majkel · ‎2024-12-10

IOC feed is only for incoming traffic.
If you use network feed you can add to both incoming and outgoing. In my opinion more usefull.

I have had network object feed running for a while and its generating a lot hits. Qwerks about the lists is that you need to monitor them in order to verify if they are active or not. Atleast the lists i have configured.

HCP will tell if there is an issue with both network and IOC feed.

best rgs, mike

Dan_Moesch · ‎2024-12-11

That makes sense, any tips on how you are monitoring is greatly appreciated!

majkel · ‎2024-12-12

The only thing for now is to check HCP in smartconsole for the relevant GWs.
I saw that with r81.20 JHF 89 added alerts for Identity Sharing. Maybe this will be a future feature for services like this.

best rgs, mike

Tal_Paz-Fridman · ‎2024-12-12

BTW you can run individual HCP tests directly on the machine

hcp -l to list all available test

hcp -r <test name>

So for IoC it would be:

hcp -r "IoC Feeds Database"

New HCP takes are available here:

https://support.checkpoint.com/results/sk/sk171436

majkel · ‎2024-12-12

Thats cool. Thanks.

Do we need to manually install new HCP takes ?

best rgs, mike

Tal_Paz-Fridman · ‎2024-12-12

Yes, it is updated automatically (like other updateable packages).

Obviously if the machine does not have connectivity to the Internet you will have to install it manually.

Dan_Moesch · ‎2024-12-20

Does hcp -r "IoC Feeds Database" also check the Network Feeds?

This is my output, it doesn't seem to indicate anything for Network Feeds....

hcp -r "IoC Feeds Database"
Test name Status
============================================================
IoC Feeds Database................................[PASSED]

To view full report on this machine, run "hcp --show-last"

Test name Status Runtime (sec)
==========================================================================
IoC Feeds Database................................[PASSED] 0.00024

+------------------------------------------------------------------------------------------------------------------------------------+
| Results |
+====================================================================================================================================+
| Anti-Virus/Threat Prevention/IoC Feeds Database |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: SUCCESS |
| |
| Description: This test checks if the Security Gateway parsed all configured IoC feeds |
| |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------

the_rock · ‎2024-12-20

Interesting...mine shows below, though I tried both formats, but when I test feeds, all is gree.

Andy

|
| Feed: Cisa |
| Error: Failed to parse the feed: Cisa |
| Make sure the feed format is correct. See sk132193. |
| Feed update status - error. |
| Feed: Talos-feed |
| Error: The feed resource https://www.talosintelligence.com/ is not available. Make sure the Security Gateway can connect to it. |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------+

[Expert@CP-GW:0]#

Best,
Andy

Dan_Moesch · ‎2024-12-20

Yes, I get errors if there are issues with IOC Feeds....however I don't see anything for network feeds (good or bad!)

the_rock · ‎2024-12-20

See, for 2 IOCs I configured, no errors when I test them, its green, just error when running the command.

Andy

Best,
Andy

Dan_Moesch · ‎2024-12-20

Yep, I noticed the same thing, which is why I am pivoting away from IOC and going the network feed route.

#1 its easy to track when an IP is blocked from a feed (can easily create alert rules for this)

#2 you can use a network feed with an egress rule and alert on it (home grown anti bot?)

Just seems to be much more visibility into what is going on with Network Feeds vs IOC feeds, and then the countless errors I found when adding IOC feeds (yet they were green when I added them!)

the_rock · ‎2024-12-20

Im with you there, agree 100%.

Best,
Andy

the_rock · ‎2024-12-11

I agree 100%.

Andy

Best,
Andy

Teddy_Brewski · ‎2024-12-16

Thank you @the_rock

According to sk103154 VSX gateways are not supported. Anyone tried it with VSX?

the_rock · ‎2024-12-16

I believe someone confirmed it in a different post as well, thats true.

Andy

Best,
Andy

the_rock · ‎2024-12-16

Though, you can use network feeds with VSX, since thats strictly in rulebase.

Andy

Check out post I made below about it, see if it helps.

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

Best,
Andy

Are you a member of CheckMates?

IOC feeds