Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

IOC feeds

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

 

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed


Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

 

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

40 Replies
Tal_Paz-Fridman
Employee
Employee

Yes, it is updated automatically (like other updateable packages).

Obviously if the machine does not have connectivity to the Internet you will have to install it manually.

0 Kudos
Dan_Moesch
Contributor

Does hcp -r "IoC Feeds Database" also check the Network Feeds?   

This is my output, it doesn't seem to indicate anything for Network Feeds....

 

hcp -r "IoC Feeds Database"
Test name Status
============================================================
IoC Feeds Database................................[PASSED]

To view full report on this machine, run "hcp --show-last"

Test name Status Runtime (sec)
==========================================================================
IoC Feeds Database................................[PASSED] 0.00024


+------------------------------------------------------------------------------------------------------------------------------------+
| Results |
+====================================================================================================================================+
| Anti-Virus/Threat Prevention/IoC Feeds Database |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: SUCCESS |
| |
| Description: This test checks if the Security Gateway parsed all configured IoC feeds |
| |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------

0 Kudos
the_rock
Legend
Legend

Interesting...mine shows below, though I tried both formats, but when I test feeds, all is gree.

Andy

|
| Feed: Cisa |
| Error: Failed to parse the feed: Cisa |
| Make sure the feed format is correct. See sk132193. |
| Feed update status - error. |
| Feed: Talos-feed |
| Error: The feed resource https://www.talosintelligence.com/ is not available. Make sure the Security Gateway can connect to it. |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------+

[Expert@CP-GW:0]#

0 Kudos
Dan_Moesch
Contributor

Yes, I get errors if there are issues with IOC Feeds....however I don't see anything for network feeds (good or bad!)

 

 

the_rock
Legend
Legend

See, for 2 IOCs I configured, no errors when I test them, its green, just error when running the command.

Andy

0 Kudos
Dan_Moesch
Contributor

Yep, I noticed the same thing, which is why I am pivoting away from IOC and going the network feed route. 

#1 its easy to track when an IP is blocked from a feed (can easily create alert rules for this)

#2 you can use a network feed with an egress rule and alert on it (home grown anti bot?)

Just seems to be much more visibility into what is going on with Network Feeds  vs IOC feeds, and then the countless errors I found when adding IOC feeds (yet they were green when I added them!)

the_rock
Legend
Legend

Im with you there, agree 100%.

0 Kudos
the_rock
Legend
Legend

I agree 100%.

Andy

0 Kudos
Teddy_Brewski
Collaborator

Thank you @the_rock

According to sk103154 VSX gateways are not supported. Anyone tried it with VSX?

0 Kudos
the_rock
Legend
Legend

I believe someone confirmed it in a different post as well, thats true.

Andy

0 Kudos
the_rock
Legend
Legend

Though, you can use network feeds with VSX, since thats strictly in rulebase.

Andy

Check out post I made below about it, see if it helps.

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events