Custom IOC Feeds CIDR/IP Ranges logging issues

flemingh

Hi, I'm trying to add a custom IOC feed using CIDR or IP Ranges and have been able to get them to block traffic successfully, however the logging seems to be a bit more tricky

This is on R81.20 Take 103 and the same issue is also seen if adding the IOC feed from the GUI

if I add a feed via ioc_feeds add --feed_name Test_Block_CDIR --format [value:#1,type:IP Range] --transport https --resource "https://url.example.com/test_block_range.txt" --comment [#] --delimiter ","

Where the test_block_range.txt looks like

10.1.1.0-10.1.1.255

10.2.2.0-10.2.2.255

It blocks the ranges successfully however in the logs it only shows the full details of the IOC feed doing the blocking for 10.1.1.0 or 10.2.2.0 addresses

For any other addresses in the ranges, it only reports the Protection Type being "IP Reputation" with no Protection Name, Indicator Name, Observable Name, which makes it hard to search on when there are multiple IOC feeds

Although CIDR is explicitly mentioned in sk132193 it seems to block just fine using the IP type but again only logs the first IP of each subnet defined

I can make it work using individual IP addresses, but this seems a bit over the top when looking at several thousand IP's

Does anyone have experience with IOC feeds and logging who can point me in the right direction please

Many thanks,

Hamish Fleming

the_rock

I will test this in R81.20 and R82 labs tomorrow, since I have IOCs in both.

Andy

the_rock

Hey @flemingh

Sorry for the delay, was busy with studying and then writting CCTE exam, totally forgot about updating you, apologies.

I tested this in R82 jumbo 19. more less, was exact same issue.

Not sure if its expected or not...maube someone from CP can comment.

Andy

flemingh

Thanks for verifying, I appreciate you taking the time

I'll open a TAC case, not that it's a major issue that doesn't have a workaround but it's always nice to get things like this tidied up if possible... or be informed that it's a feature not a bug 🙂

the_rock

Keep us posted.

Andy

PhoneBoy

Just to clarify, the issue isn't that the traffic is not being blocked, it's that it's not being logged correctly, right?
And by correct, meaning "not as IP Reputation"

A TAC case is probably needed here.

flemingh

Yes the traffic is blocked as it is defined in the IOC feed but when you look through the logs it doesn't have the reason/IOC feed that blocks the traffic except for the first entry of the subnet/range listed

If I have 10.1.1.0/24 defined it doesn't block 10.1.1.0 but it blocks 10.1.1.1 and shows the correct log info, however10.1.1.2 - 10.1.1.254 it blocks but just has "IP Reputation" in the logs
Equally if I define 10.1.1.0-10.1.1.255 then 10.1.1.0 blocks and shows in the logs with the correct IOC info but 10.1.1.1 - 10.1.1.255 only block and only have "IP Reputation" in the logs

CIDR isn't specified in the doco that I could find but seems to work other than for the network address and the broadcast address but I also get the same logging issue with the IP Range definition (inclusive of the network and broadcast addresses not that a range is defining these per se) which is supported in the doco

I can define the 139K IP addresses individually that I want to block and this works correctly with the full logging info but I wanted to check I wasn't missing something as defining a dozen or so ranges is less overhead that maintaining a 139K entry file

PhoneBoy

I thought CIDRs were explicitly documented as supported?
In any case, the logging issue is probably independent of this.

Are you a member of CheckMates?

Custom IOC Feeds CIDR/IP Ranges logging issues