Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cameronem
Explorer

Custom intelligence feed and TOR with our internal CA

Hi

 

We are looking at implementing either ioc_feeds or TOR to block from a custom feed on R80.30.  This feed is hosted on an internal server with certificate issued by our internal CA.  How can we get the GW (and MDM if we use TOR) to trust those?  I have tried going into Servers > More > Trusted CA and imported the root and intermediate certificates and installing database/install policy but when doing curl_cli still doesn't like the cert.  I'm not in a position at this point to fully implement the features but trying to get as much prep done as I can.  I see for custom intelligence feeds we could do export EXT_IOC_NO_SSL_VALIDATION=1 but think probably best to just trust our CA and also can't find anything if we go with the TOR option.

 

We don't currently have antibot/antivirus enabled and concerned about the added load etc of enabling either of these to do the custom intelligence feed option.  Is there any other way to do domain since it appears TOR option only does IP?

 

Thanks

0 Kudos
7 Replies
Mikael
Contributor

Hi,

As far as I know curl (curl_cli) has it's own repository/bundle of certs and that's why you still get the warning when testing with curl_cli. https://curl.se/docs/sslcerts.html 

The custom IOC does need AV/AB enabled. Without giving us some info on the environment it will be hard to provide a guesstimate of the added load...

I assume that you have checked sk103154 as that provides an alternative way to drop traffic using SecureXL and SAM.

I also remember having used http://opendbl.net/#index.html many years ago...

0 Kudos
cameronem
Explorer

Thanks for that but my main query is that I presume if the CA isn't trusted that when we do set up the TOR feeds etc that it won't work

0 Kudos
Tobias_Moritz
Advisor

I had the same problem and asked TAC about a year ago. The response was:

We have an official, tested procedure for adding a trusted CA for IOC feeds (an SK about this subject will be released shortly):

1. Export the relevant CA in Base64 format.
2. Copy the exported CER file to the gateway.
3. Create a new bundle file for IOC trusted CAs:
# cp $FWDIR/database/ca_bundle.pem $FWDIR/database/ioc_ca_bundle.pem
Please note: For adding more than one trusted CA, there's no need to repeat this step.
4. Append the new trusted CA into the file:
# dos2unix [CER file]
# cat [CER file] >> $FWDIR/database/ioc_ca_bundle.pem
5. Change IOC feeds to read the trusted CAs from the new file:
a. Backup the current $FWDIR/conf/ioc_feeder.conf:
# cp $FWDIR/conf/ioc_feeder.conf $FWDIR/conf/ioc_feeder.conf_BKP
b. Edit $FWDIR/conf/ioc_feeder.conf:
# vi $FWDIR/conf/ioc_feeder.conf
c. Change the following line:
"ioc_bundle": "\/database\/ca_bundle.pem",
To:
"ioc_bundle": "\/database\/ioc_ca_bundle.pem",

Not sure if the mentioned sk is public now.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
cameronem
Explorer

Awesome thanks for that 🙂  Sorry not sure why I didn't see that when searching.  Is there a similar one for TOR?  Couldn't find one for it either and with another search can't?

0 Kudos
Ben_s
Employee
Employee

@PhoneBoy @cameronem 

Having a quick look (I maybe WAY off), Phoneboy can double check me,  sk103154 shell scripts use SAM (Suspicious Activity Monitoring) rules in the script to block the IP’s and uses curl_cli as part of the tool set to pull the IP addresses from the selected file or URL. Since the scripts job is to pull from the resource, then create the SAM rules, I believe you would need to modify the shell script.

Now, I’m not sure what you would need to do, my guess would be to add “-k” to the “Curl_cli” rule or change the ca bundle it uses.

“curl_cli -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | grep -vE '^$'| convert > $cache_file_name”

0 Kudos
Nir_Naaman
Employee
Employee

Slight correction to the above - sk103154 doesn't use SAM rules (sk112061). SAM is a managed facility (from SmartConsole) that communicates with the gateways to provision block rules. Rather, sk103154 leverages the Rate Limiting rules for DoS Mitigation ("fw samp") feature for implementing large scale, high performance network blocking by IP. 

Do note that sk103154 explicitly recommends that customers who are running on R81 or above should prefer the newer sk132193 Custom Intelligence Feeds. Check out the Smart Intel Admin Guide for a section on how to automate TOR feed management for sk132193.

0 Kudos