IOC feeds

the_rock · ‎2024-04-12

Hey boys and girls,

Happy Friday and weekend 🙂

Just figured would share some IOC feeds I put together in my lab, I counted and there is about 2000 known bad IPs that are blocked via all of them together, so hopefully it can help others.

If anyone has any others to share, please do so. FYI, you do need either AV or AB blades enabled to use IOC feeds and for best results, I recommend R81.20 version, as it also lets you test the feeds from smart console.

I truly believe everyone should do this method, as lets be honest, with ever evolving threats from the Internet, who has the time to manually keep updating bad IPs to be blocked? I will take a wild guess and say probably no one lol

Best,

Andy

[Expert@azurefw:0]# ioc_feeds show
Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sans
Feed is Active
File will be fetched via HTTPS
Resource: https://isc.sans.edu/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: isacs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.nationalisacs.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Imfraguard
Feed is Active
File will be fetched via HTTPS
Resource: https://www.infragard.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virustotal
Feed is Active
File will be fetched via HTTPS
Resource: https://www.virustotal.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Cisa
Feed is Active
File will be fetched via HTTPS
Resource: https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sha...
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: googlesafebrowsing
Feed is Active
File will be fetched via HTTPS
Resource: https://safebrowsing.google.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: spamhaus
Feed is Active
File will be fetched via HTTPS
Resource: https://www.spamhaus.org/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: abuse.ch
Feed is Active
File will be fetched via HTTPS
Resource: https://abuse.ch/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: virusshare
Feed is Active
File will be fetched via HTTPS
Resource: https://virusshare.com/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: talos
Feed is Active
File will be fetched via HTTP
Resource: http://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: sslbl
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: cybercrime
Feed is Active
File will be fetched via HTTPS
Resource: https://cybercrime-tracker.net/ccamlist.php
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: ipspamlist
Feed is Active
File will be fetched via HTTP
Resource: http://www.ipspamlist.com/public_feeds.csv
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: botvrij
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: Known_bad_IPs
Feed is Active
File will be fetched via HTTPS
Resource: https://www.misp-project.org/feeds/
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: github-blocklist
Feed is Active
File will be fetched via HTTPS
Resource: https://github.com/firehol/blocklist-ipsets
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: feodo_tracker
Feed is Active
File will be fetched via HTTPS
Resource: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: emerging_threats
Feed is Active
File will be fetched via HTTP
Resource: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Action: Prevent
User Name:
Feed is centrally managed

Feed Name: test-feed
Feed is Active
File will be fetched via HTTPS
Resource: https://csp.infoblox.com/
Action: Detect
User Name:
Feed is centrally managed

Total number of feeds: 21
Active feeds: 21
[Expert@azurefw:0]#

Best,
Andy

the_rock

I was just about to do some testing with this. Give me some time and will update you.

Best,
Andy

Jean-Francois_G

I just found this link witch have a lot of good IoC Feed Url

Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat ...

the_rock

I find it very odd that now when I test all this in R82 lab, bunch of links give cert warning, I accept and recheck, keeps looping constantly, never works, but worked in R81.20

Now Im super curious to find generic one, if it exists. I will keep "digging" ; -)

Link you gave, I actually did have it, but bunch of those also fail in R82

Best,
Andy

Jean-Francois_G

I tried these one and worked for now

One question when we create IoC Feed under "Indicators" in Threat Prevention Policy should i add also a Network Rule with a Netword Feed Object that block 2 ways communication or only the IoC Feed is enough ?

Thanks !

the_rock

They work as network feeds, NOT ioc feeds. Thats why I said Im trying to find if there is one generic link that can be used for ioc feed.

Best,
Andy

the_rock

I will definitely keep checking on this until I find link that would contain large database of stuff that can be blocked.

Best,
Andy

PhoneBoy

https://www.talosintelligence.com is not a URL that contains indicators.
You need to specify a full URL for the file that contains the indicators.

the_rock

I could have sworn bunch of those links worked for me in R81.20, but none work on R82 :(. I tried json, php extensions, also csv file, but for some of them, though it gives certificate warning, I accept, but simply loops back constantly, never accepts anything.

Thoughts @PhoneBoy ?

Best,
Andy

Jean-Francois_G

Yes that is what i understand but would it not be a great idea to have url listed here for everybody so everyone can enjoy this

the_rock

I even tried from cli with ioc_feeds add command, no dice. I wont give up, but getting little frustrated lol

Best,
Andy

the_rock

@Jean-Francois_G

Also tried all 4 below, but no luck:

Known Feed Examples (using the Custom CSV format)

Name	URL
Alienvault IP Reputation	http://reputation.alienvault.com/reputation.data
Domains	https://www.botvrij.eu/data/ioclist.hostname.raw
Spam List	http://www.ipspamlist.com/public_feeds.csv
Cybercrime hash list	http://cybercrime-tracker.net/ccamlist.php

from:

sk132193 - What is the "Custom Intelligence Feeds" feature?

Best,
Andy

the_rock

Its super odd, I added all 4 from expert mode based on example below, but still does not show in smart console.

[Expert@CP-GW:0]# ioc_feeds show
Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
Feed is cli managed

Feed Name: domains
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
Feed is cli managed

Feed Name: spam_list
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipspamlist.com/public_feeds.csv
Action: Prevent
Feed is cli managed

Feed Name: hash_list
Feed is Active
File will be fetched via HTTP
Resource: http://cybercrime-tracker.net/ccamlist.php
Action: Prevent
Feed is cli managed

Total number of feeds: 4
Active feeds: 4
[Expert@CP-GW:0]#

Best,
Andy

Are you a member of CheckMates?

Known Feed Examples (using the Custom CSV format)

IOC feeds