Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
krit
Participant
Jump to solution

Importing External Custom Intelligence Feeds in SmartConsole - Custom feed settings

Dear Mates,

We would like to use the "indicators" option in Threat Prevention policy and create an External IOC feed object pointing to a file with IP addresses only, one per line.

In specific, we would like to use Talos IP blacklist, for a start ( http://www.talosintelligence.com/documents/ip-blacklist )

First of all, I would like to ask if this is possible through Smartconsole. Documentation mentions that feeds which do not match Checkpoint's format, cannot be used in Smartconsole.

Secondly, if the above is possible, is there any documentation on how to fill up the "Custom feed settings"? In our case with an IP address file, I assume that we choose "type: IP address" on the dropdown menu and leave the "ignore lines that start with:" and "fields delimeter:" fields as blank.

What about the "Fields to column number mappings" section? "Value:" field cannot be empty. I guess that since I have "one column" in the file, shall I use "1" in that field?

 

indicator.PNG

Please be also informed of the versions in our environment.

Management server: R81.10, jhf 30
Security gateways: R80.30, most in jhf 237

Thank you in advance!

Best Regards

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin

The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.

krit
Participant

Thank you for the clarification.

As assumed, I only have the cli import option for Talos list, for now.

0 Kudos
D_W
Advisor

We have R81.10 GWs and Management and Custom Feeds work also with only IP Addresses!

BUT we have issues with this specific Talos Feed because http://www.talosintelligence.com/documents/ip-blacklist forwards to https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/023/722/original/ip_filt...

image.png


In the ioc_feed.elg it shows

Cisco_Talos_Feed: Failed to fetch feed. Resource: http://www.talosintelligence.com/documents/ip-blacklist, Reason: Peer certificate cannot be authenticated with given CA certificates

Any ideas how to solve this?

KR,
David

 

 

0 Kudos
D_W
Advisor

Solved my question. Just change the URL to https://www.talosintelligence.com/documents/ip-blacklist and ignored the warnings in smart console. Now it works.

0 Kudos
CheckPointerXL
Advisor

are you sure that it is working?

try to search in logs "ioc" and verify that you do not have this error:

 

ioc.JPG

 

also, try to verify if IPs are correctly enforced; i guess that we should see all relevant IPs in the output of the command fwaccel dos stats get.

Am i correct? @PhoneBoy 

this is true for me for list with only IPs (not domains, not sha1 etc.); anyway, here another question... IoC are only for AV/AB use, but i can see IPs (Cisco Talos) also under fwaccel dos stats get like i mentioned....so it should work also at FW blade level... very confusing

0 Kudos
PhoneBoy
Admin
Admin

Not sure the IPs will show up in fwaccel dos format.
They’re in some table or dynamic object for sure.

0 Kudos
_Val_
Admin
Admin

Did you look into sk132193 yet? Talos case is mentioned there.

0 Kudos
krit
Participant

Yes, did it already.

My concern was about importing Talos list through Smartconsole, not cli.

Regards

0 Kudos
r1der
Advisor

Hi @krit , did you figure out the custom settings or figure out how to ingest these into CP?


My indicators is setup like yours and are uploaded in to SmartConsole (by URL that will take you to a .txt file with values depending on IPs/domains/or hashes only. "Testing Connectivity" successfully runs, but if I understand correctly, it isn't setup right, since its not in a CheckPoint CSV Format.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events