I actually did ioc_feeds add commands from the below sk and output was the same, so Im guessing its probably due to the fact I dont have av/ab blades enabled and its VM, but not sure. I dont have access to actual physical CP appliance to test this theory. Does not show me number of entries, which would be nice to see 🙂
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Known feeds examples (using the Custom CSV feature)
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name reputation --transport http --resource "http://reputation.alienvault.com/reputation.data" --format [type:ip,value:#1,comment:#4] --delimiter "#"
start add
HTTP url feed transport is insecure and not recommended. Please consider using only url feeds with HTTPS transport.
Default value for active is: true
Default value for feed_action is: prevent
Feed reputation will add on
Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
Feed is cli managed
Fetching active feeds
Update summary
##############
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name domains --transport https --resource "https://www.botvrij.eu/data/ioclist.hostname.raw" --format [type:domain,value:#1]
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed domains will add on
Feed Name: domains
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
Feed is cli managed
'proxy'
SHA256 Fingerprint=F7:02:33:19:BB:93:D4:83:88:21:42:03:9B:11:62:7F:4C:88:DB:17:0B:84:66:B2:E5:90:CB:D2:B5:8C:80:AE
Do you trust the server www.botvrij.eu public certificate? [y/n]: y
Fetching active feeds
Update summary
##############
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name ips --transport https --resource "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" --format [type:ip,value:#2] --comment [#] --delimiter ","
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed ips will add on
Feed Name: ips
Feed is Active
File will be fetched via HTTPS
Resource: https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
Action: Prevent
Feed is cli managed
'proxy'
SHA256 Fingerprint=16:8F:8D:D7:CD:C1:1D:AF:CB:85:54:79:20:09:42:29:29:2C:AA:BA:13:9E:34:AC:4E:20:EE:CE:4B:0E:9E:50
Do you trust the server sslbl.abuse.ch public certificate? [y/n]: y
Fetching active feeds
Update summary
##############
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name ip_blacklist --transport https --resource "https://www.talosintelligence.com/documents/ip-blacklist" --format [type:ip,value:#1]
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed ip_blacklist will add on
Feed Name: ip_blacklist
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/documents/ip-blacklist
Action: Prevent
Feed is cli managed
'proxy'
SHA256 Fingerprint=64:BF:71:2E:6F:DA:8D:6A:37:24:8F:44:57:91:38:2E:E8:14:A3:E3:4E:32:18:9C:B5:B3:DE:83:80:D4:C9:2B
Do you trust the server www.talosintelligence.com public certificate? [y/n]: y
Fetching active feeds
Update summary
##############
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name spam_list --transport https --resource "https://www.ipspamlist.com/public_feeds.csv" --format [type:ip,value:#3,comment:#4] --comment ["#", "first_seen"] --delimiter ","
start add
Default value for active is: true
Default value for feed_action is: prevent
Feed spam_list will add on
Feed Name: spam_list
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipspamlist.com/public_feeds.csv
Action: Prevent
Feed is cli managed
'proxy'
SHA256 Fingerprint=80:43:D6:EC:5E:8F:A6:E6:00:E2:A4:E0:55:96:9D:16:43:89:35:A9:11:B7:5D:4C:17:65:9B:DD:36:79:9B:2B
Do you trust the server www.ipspamlist.com public certificate? [y/n]: y
Fetching active feeds
Update summary
##############
[Expert@quantum-firewall:0]# ioc_feeds add --feed_name hash_list --transport http --resource "http://cybercrime-tracker.net/ccamlist.php" --format [type:sha1,value:#1]
start add
HTTP url feed transport is insecure and not recommended. Please consider using only url feeds with HTTPS transport.
Default value for active is: true
Default value for feed_action is: prevent
Feed hash_list will add on
Feed Name: hash_list
Feed is Active
File will be fetched via HTTP
Resource: http://cybercrime-tracker.net/ccamlist.php
Action: Prevent
Feed is cli managed
Fetching active feeds
Update summary
##############