- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Importing External Custom Intelligence Feeds i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Importing External Custom Intelligence Feeds in SmartConsole - Custom feed settings
Dear Mates,
We would like to use the "indicators" option in Threat Prevention policy and create an External IOC feed object pointing to a file with IP addresses only, one per line.
In specific, we would like to use Talos IP blacklist, for a start ( http://www.talosintelligence.com/documents/ip-blacklist )
First of all, I would like to ask if this is possible through Smartconsole. Documentation mentions that feeds which do not match Checkpoint's format, cannot be used in Smartconsole.
Secondly, if the above is possible, is there any documentation on how to fill up the "Custom feed settings"? In our case with an IP address file, I assume that we choose "type: IP address" on the dropdown menu and leave the "ignore lines that start with:" and "fields delimeter:" fields as blank.
What about the "Fields to column number mappings" section? "Value:" field cannot be empty. I guess that since I have "one column" in the file, shall I use "1" in that field?
Please be also informed of the versions in our environment.
Management server: R81.10, jhf 30
Security gateways: R80.30, most in jhf 237
Thank you in advance!
Best Regards
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the clarification.
As assumed, I only have the cli import option for Talos list, for now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have R81.10 GWs and Management and Custom Feeds work also with only IP Addresses!
BUT we have issues with this specific Talos Feed because http://www.talosintelligence.com/documents/ip-blacklist forwards to https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/023/722/original/ip_filt...
In the ioc_feed.elg it shows
Cisco_Talos_Feed: Failed to fetch feed. Resource: http://www.talosintelligence.com/documents/ip-blacklist, Reason: Peer certificate cannot be authenticated with given CA certificates
Any ideas how to solve this?
KR,
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved my question. Just change the URL to https://www.talosintelligence.com/documents/ip-blacklist and ignored the warnings in smart console. Now it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you sure that it is working?
try to search in logs "ioc" and verify that you do not have this error:
also, try to verify if IPs are correctly enforced; i guess that we should see all relevant IPs in the output of the command fwaccel dos stats get.
Am i correct? @PhoneBoy
this is true for me for list with only IPs (not domains, not sha1 etc.); anyway, here another question... IoC are only for AV/AB use, but i can see IPs (Cisco Talos) also under fwaccel dos stats get like i mentioned....so it should work also at FW blade level... very confusing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure the IPs will show up in fwaccel dos format.
They’re in some table or dynamic object for sure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you look into sk132193 yet? Talos case is mentioned there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, did it already.
My concern was about importing Talos list through Smartconsole, not cli.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @krit , did you figure out the custom settings or figure out how to ingest these into CP?
My indicators is setup like yours and are uploaded in to SmartConsole (by URL that will take you to a .txt file with values depending on IPs/domains/or hashes only. "Testing Connectivity" successfully runs, but if I understand correctly, it isn't setup right, since its not in a CheckPoint CSV Format.