This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vickeryian
Explorer
Monday

Unable to add a threat intelligence feed from alien vault

Hi, I am trying to add a threat intelligence feed from Alien Vault to block known malicious IP address.

When added the IP address via smart console I get a 403 error message.

When I use curl.

[Expert@AKFW01:0]# curl -H "X-OTX-API-KEY: API-KEY-removed" "https://otx.alienvault.com/api/v1/pulses/subscribed"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

Has anyone successfully imported a threat intelligence feed from alien vault?

Is there an additional certificate I need to install on the security gateway?

Many thanks.

 

  

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
yesterday

Most likely the certificate used for the website is not in our certificate bundle.
https://support.checkpoint.com/results/sk/sk132193 explains how to overcome this by importing the feed with a CLI command after setting a specific environment variable (EXT_IOC_NO_SSL_VALIDATION).

0 Kudos
the_rock
Legend
Legend
yesterday

Do you have the actual link? I would like to try it in the lab. https://otx.alienvault.com/api/v1/pulses/subscribed does not show anything.

Andy

0 Kudos
vickeryian
Explorer
yesterday
In response to the_rock

curl "https://otx.alienvault.com/api/v1/pulses/subscribed?page=1" \ -H "X-OTX-API-KEY: API Key removed for security "

This works from my PC but not from the checkpoint.  

I will check to see if I can import the feed using the CLI as per the earlier post. 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to vickeryian

Thats certainly one option to try.

0 Kudos
vickeryian
Explorer
yesterday
In response to vickeryian

This is the reference from Alienvault  Unlocking Threat Intelligence with OTX's | LevelBlue

Regards

Ian Vickery

0 Kudos
the_rock
Legend
Legend
yesterday
In response to vickeryian

Thank you, will check in the morning.

Andy

0 Kudos
Jan_Kleinhans
Advisor
50m ago

Hello,

I do not know if curl have to work. I tried with adding the custom feed via API by using:

add threat-ioc-feed name "OTX" feed-url "https://otx.alienvault.com/api/v1/pulses/subscribed?page=1" action "Detect" custom-header.1.header-name "X-OTX-API-KEY" custom-header.1.header-value "xxxxapi-keyxxxx" but when I test it I get a HTTP error 403. So it seems that the custom authentication header has not been send.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events