CheckMates Fest 2025!
Join the Biggest Event of the Year!
Simplifying Zero Trust Security
with Infinity Identity!
Zero Trust Implementation
Help us with the Short-Term Roadmap
CheckMates Go:
Recently on CheckMates
Hey boys and girls,
Happy Friday and weekend 🙂
Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.
If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.
I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol
Best,
Andy
[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed
Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#
Yes, it is updated automatically (like other updateable packages).
Obviously if the machine does not have connectivity to the Internet you will have to install it manually.
Does hcp -r "IoC Feeds Database" also check the Network Feeds?
This is my output, it doesn't seem to indicate anything for Network Feeds....
hcp -r "IoC Feeds Database"
Test name Status
============================================================
IoC Feeds Database................................[PASSED]
To view full report on this machine, run "hcp --show-last"
Test name Status Runtime (sec)
==========================================================================
IoC Feeds Database................................[PASSED] 0.00024
+------------------------------------------------------------------------------------------------------------------------------------+
| Results |
+====================================================================================================================================+
| Anti-Virus/Threat Prevention/IoC Feeds Database |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: SUCCESS |
| |
| Description: This test checks if the Security Gateway parsed all configured IoC feeds |
| |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------
Interesting...mine shows below, though I tried both formats, but when I test feeds, all is gree.
Andy
|
| Feed: Cisa |
| Error: Failed to parse the feed: Cisa |
| Make sure the feed format is correct. See sk132193. |
| Feed update status - error. |
| Feed: Talos-feed |
| Error: The feed resource https://www.talosintelligence.com/ is not available. Make sure the Security Gateway can connect to it. |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------+
[Expert@CP-GW:0]#
Yes, I get errors if there are issues with IOC Feeds....however I don't see anything for network feeds (good or bad!)
See, for 2 IOCs I configured, no errors when I test them, its green, just error when running the command.
Andy
Yep, I noticed the same thing, which is why I am pivoting away from IOC and going the network feed route.
#1 its easy to track when an IP is blocked from a feed (can easily create alert rules for this)
#2 you can use a network feed with an egress rule and alert on it (home grown anti bot?)
Just seems to be much more visibility into what is going on with Network Feeds vs IOC feeds, and then the countless errors I found when adding IOC feeds (yet they were green when I added them!)
Im with you there, agree 100%.
I agree 100%.
Andy
I believe someone confirmed it in a different post as well, thats true.
Andy
Though, you can use network feeds with VSX, since thats strictly in rulebase.
Andy
Check out post I made below about it, see if it helps.
https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317
Hey boys and girls,
Happy Friday and weekend 🙂
Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.
If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.
I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol
Best,
Andy
[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed
Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 25 | |
| 11 | |
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 |
Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
