©2018 Check Point Software Technologies Ltd. All rights reserved | P. 1

Integrating Custom IOC Feeds Jonathan Sanders Security Engineer – Alabama & Tennessee December 15th, 2018

This document describes how to integrate and consume custom Indicators of Compromise (IOC) feeds from various 3rd parties (ie. SANS, the Multi-State Information Sharing and Analysis Center (MS-ISAC), etc.)

Beginning in R80.20 (GA Take 101) and R80.10 (Jumbo HFA Take 121), Check Point Gateways now support a feature, through a hotfix addon, that allows for custom 3rd party IOC feeds to be dynamically imported and applied for detection and prevention without any user intervention or action. Information about this feature and the hotfix download can be found in sk132193.

Once the hotfix has been applied, we can begin by logging into the command line of the Check Point gateway and switching into “expert” mode. When at the expert command prompt, run the ”ioc_feeds” command without any switches or parameters to get a list of options:

Most of the arguments are self-explanatory, however, there is one that needs further examination. The “format” argument is used to transform custom CSV’s that don’t align to the default Check Point CSV format/order of [name,value,type,confidence,severity,product,comment]. Let’s look at each of these field options:

• name – name of the observable • value – contains the actual value of the observable (192.168.50.5,

www.baddomain.com, a1af74ebd46eb956d2b09a188de3ab52, etc.)

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 2

• type – this can be one of ten values: ip, ip range, domain, URL, MD5, mail-subject, mail-to, mail-from, mail-cc, mail-reply-to

• confidence – set to high, medium, or low • severity – set to high, medium, or low • product – av (Anti-Virus) or ab (Anti-Bot) • comment – comment or description for observable

In format type definitions, if a hashtag (#) is used to specify a field option value, then that indicates the value should be “taken from the file”. If there is no hashtag, then the value is taken from the command line. Example, --format [type:ip,value:#3,name:#2] means the CSV feed contains IP address values, the actual IP is in the 3rd column of the file, the Name is in the 2nd column. An opposite example that reads values from the command line is as follows: --format [type:ip,value:#3,name:CustomSigs]. All observables in this feed would have a Name of “CustomSigs”. The best example that shows how a feed of multiple observable types can be imported using custom CSV transforms, can be found in sk132193 and is shown here:

Example #1: Adding Domains from SANS CSV Feed Feed contents:

Command: ioc_feeds add --feed_name sans_domains --transport https --resource https://isc.sans.edu/feeds/suspiciousdomains_High.txt --format [type:domain,value:1] --comment "#, Site"

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 3

Example #2: Adding TOR Exit Nodes from CSV Feed

Feed contents:

Command: ioc_feeds add --feed_name tor_exits --transport https --resource https://www.dan.me.uk/torlist/?exit –format [type:ip,value:1]

Example #3: Adding Domains from MS-ISAC CSV Feed Feed contents:

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 4

Command: ioc_feeds add --feed_name isac_domains_csv --resource http://taxii.cisecurity.org:8888/domains.txt --transport http --format [type:domain,value:1] --comment "#"

Example #4: Adding IP STIX Feed Feed Contents:

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 5

Command: ioc_feeds add --feed_name ip_stix --transport https --resource https://raw.githubusercontent.com/STIXProject/schemas/version_1.0.1/samples/STIX_IP_Watchlist.xml

Deleting a Feed ioc_feeds delete –feed_name <feed name>

Setting Fetch Interval ioc_feeds show_interval - will display current fetch interval (default is ioc_feeds set_interval <seconds> - will set the fetch interval **this affects all feeds**

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 6

Logging and Events Informational events and other useful status can be seen in the SmartConsole Log viewer under AntiBot and AntiVirus blade logs. Troubleshooting

If a feed fetch fails, check for SSL errors or just try “export EXT_IOC_NO_SSL_VALIDATION=1” to disable SSL/TLS Certificate verification. You may also run IOC Feed Daemon in debug mode using the “$FWDIR/bin/ioc_feeder -d -f” command.

Also, move to the $FWDIR/external_ioc directory where you will find a directory for each of your IOC feeds. If you navigate to the directory of the feed you are having problems with and look for a file called <feed_name>_https or <feed_name>_http depending on the transport method, you will see the actual feed that was fetched. If neither of those files exist, then the feed was not fetched, and you will need to check that you defined the correct resource and if there is authentication that needs to be defined. Other config and log files of interest:

• $FWDIR/log/ioc_feeder.elg • $FWDIR/log/ioc_feeder_configuration.log • $FWDIR/log/ext_ioc_push.elg • $FWDIR/conf/ioc_feeder.conf • $FWDIR/conf/ioc_feeder_stats.conf • $FWDIR/conf/ioc_feeder_status_file.conf