This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flemingh
Participant
‎2025-06-10 05:30 PM

Custom IOC Feeds CIDR/IP Ranges logging issues

Hi, I'm trying to add a custom IOC feed using CIDR or IP Ranges and have been able to get them to block traffic successfully, however the logging seems to be a bit more tricky

This is on R81.20 Take 103 and the same issue is also seen if adding the IOC feed from the GUI

if I add a feed via ioc_feeds add --feed_name Test_Block_CDIR --format [value:#1,type:IP Range] --transport https --resource "https://url.example.com/test_block_range.txt" --comment [#] --delimiter ","

Where the test_block_range.txt looks like

10.1.1.0-10.1.1.255

10.2.2.0-10.2.2.255

It blocks the ranges successfully however in the logs it only shows the full details of the IOC feed doing the blocking for 10.1.1.0 or 10.2.2.0 addresses

For any other addresses in the ranges, it only reports the Protection Type being "IP Reputation" with no Protection Name, Indicator Name, Observable Name, which makes it hard to search on when there are multiple IOC feeds

Although CIDR is explicitly mentioned in sk132193 it seems to block just fine using the IP type but again only logs the first IP of each subnet defined

I can make it work using individual IP addresses, but this seems a bit over the top when looking at several thousand IP's

Does anyone have experience with IOC feeds and logging who can point me in the right direction please

 

Many thanks,

Hamish Fleming

 

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-06-10 05:50 PM

I will test this in R81.20 and R82 labs tomorrow, since I have IOCs in both.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-06-11 07:23 PM

Hey @flemingh 

Sorry for the delay, was busy with studying and then writting CCTE exam, totally forgot about updating you, apologies.

I tested this in R82 jumbo 19. more less, was exact same issue.

Not sure if its expected or not...maube someone from CP can comment.

Andy

Best,
Andy
flemingh
Participant
‎2025-06-15 03:17 PM
In response to the_rock

Thanks for verifying, I appreciate you taking the time

I'll open a TAC case, not that it's a major issue that doesn't have a workaround but it's always nice to get things like this tidied up if possible... or be informed that it's a feature not a bug 🙂

the_rock
MVP Platinum
MVP Platinum
‎2025-06-15 03:20 PM
In response to flemingh

Keep us posted.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-12 05:31 AM

Just to clarify, the issue isn't that the traffic is not being blocked, it's that it's not being logged correctly, right?
And by correct, meaning "not as IP Reputation"

A TAC case is probably needed here.

flemingh
Participant
‎2025-06-15 03:10 PM
In response to PhoneBoy

Yes the traffic is blocked as it is defined in the IOC feed but when you look through the logs it doesn't have the reason/IOC feed that blocks the traffic except for the first entry of the subnet/range listed

If I have 10.1.1.0/24 defined it doesn't block 10.1.1.0 but it blocks 10.1.1.1 and shows the correct log info, however10.1.1.2 - 10.1.1.254 it blocks but just has "IP Reputation" in the logs
Equally if I define 10.1.1.0-10.1.1.255 then 10.1.1.0 blocks and shows in the logs with the correct IOC info but 10.1.1.1 - 10.1.1.255 only block and only have "IP Reputation" in the logs

CIDR isn't specified in the doco that I could find but seems to work other than for the network address and the broadcast address but I also get the same logging issue with the IP Range definition (inclusive of the network and broadcast addresses not that a range is defining these per se) which is supported in the doco

I can define the 139K IP addresses individually that I want to block and this works correctly with the full logging info but I wanted to check I wasn't missing something as defining a dozen or so ranges is less overhead that maintaining a 139K entry file 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-16 07:59 AM
In response to flemingh

I thought CIDRs were explicitly documented as supported?
In any case, the logging issue is probably independent of this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events