topic Re: EDL - Talos block list in Advanced Threat Prevention Discussions

EDL - Talos block list

solarstone — Mon, 18 Sep 2017 10:24:56 GMT

I have various EDLs setup on various different PA models. Some work, and populate the list with IP's and effectively block in security policies. However, for Cisco Talos block list, it just will not work:

http://www.talosintelligence.com/feeds/ip-filter.blf

It won't populate the list at all when I request to see the list I get:

vsys1/Cisco Talos IP Black List:
Next update at : Tue Sep 19 02:08:23 2017
Source : https://www.talosintelligence.com/feeds/ip-filter.blf
Referenced : Yes
Valid : Yes

Auth Valid: Yes
Total invalid entries : 1
Valid ips:

No error

Service route is set, as other EDLs work fine. All I can think is that this Talos URL resolves to an Amazon AWS address. It still won't work if I tinyurl that AWS address, and add that as the EDL.

Re: EDL - Talos block list

Netwerx — Thu, 28 Sep 2017 14:43:21 GMT

Had same issue, try changing URL in EDL to https://talosintelligence.com/documents/ip-blacklist and in CLI run

request system external-list refresh type ip name "Cisco Talos IP Black List"

Give it a second, then try

request system external-list show type ip name "Cisco Talos IP Black List"

post results.

Re: EDL - Talos block list

Netwerx — Fri, 29 Sep 2017 12:39:59 GMT

Assuming you're running Windows, here's a quick and dirty powershell script I just wrote to download the list for internal hosting. It gets the content, dumps it to CSV file without headers, which I found I had to do otherwise if I just dumped it to a text file, it was one compelte stream of text without any carriage returns, instead of seperate IP addresses. Throw that file on an internally hosted website dedicated for hosting firewall blacklists, and use IP restrictions so only your firewall can pull the data. I also do this for IP addresses I want blocked for longer than the built in max of one hour.

Try not to run the script more than once per hour once it's working so they don't temporarilly block you. Change the foldername to the name of the site in IIS.

$talos = 'C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talosTemp.csv'
Invoke-WebRequest -uri https://talosintelligence.com/documents/ip-blacklist -OutFile C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talosTemp.csv
if((gc $talos | Measure-Object).count -gt 100){
gc -path $talos | Out-File C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talos.txt -Force -ErrorAction SilentlyContinue -Encoding ascii
}

This is very rudamentary, but it is working for me so far.

EDIT: forgot to add the ascii encoding, feel free to tweak it how you see fit, add more conditional logic as needed, that measure-object is just there to make sure the file isn't empty.

Re: EDL - Talos block list

xhoms — Thu, 07 Dec 2017 19:10:14 GMT

You might want to give MineMeld a try. Either the community version or the AutoFocus hosted one would do the job.

Deatails on how to mine this list at https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Talos-Blacklist/td-p/190671/jump-to/first-unread-message

Re: EDL - Talos block list

Anon1 — Fri, 08 Dec 2017 13:51:36 GMT

EDL download by firewall only works if the web server which hosts the file allows TLS1.0 connections. The firewall does not support higher TLS versions for EDL downloads.

Re: EDL - Talos block list

TNaami — Mon, 30 Dec 2019 20:42:58 GMT

Yes, I do realize this is an older thread but here is what I experienced:

I can open the URL in a browser and see the list of IPs. The firewall does not download the list even though it recognizes the URL. The base URL as published redirects to a much longer URL that changes frequently with updates. That much longer URL is more than the 255 character limit for the URL field. I believe the redirect is where my issue lies. When I try to edit the exclusion list after refreshing the list there are no entries thus I never get a list.

Maybe this can help someone else.

Re: EDL - Talos block list

OtakarKlier — Tue, 07 Jan 2020 23:17:10 GMT

Hello,

Try it with http instead of https.

Just a thought.

Re: EDL - Talos block list

SutareMayur — Fri, 07 Feb 2020 09:01:25 GMT

Hello,

URL : https://www.talosintelligence.com/feeds/ip-filter.blf won't populate the list as it is giving 'URL Access error' when i do Test source URL on firewall. Now when i am browsing above url, it is getting redirected to amazon aws link. If we even try to put redirected URL to Test it on firewall, it will not allow as URL is crossing 255 characters, and palo alto can accept at most 255 under url-test node under EDL.

So this may be the issue here.

- Mayur

Re: EDL - Talos block list

SutareMayur — Mon, 17 Feb 2020 02:54:04 GMT

@solarstoneIs it resolved ?

Mayur

Re: EDL - Talos block list

Adriano_R94 — Mon, 05 Dec 2022 15:37:51 GMT

I have the same problem, I tried the refresh by cli and had this return:
Details:EDL(vsys1/Dynamic_List_Talos ip) Unable to fetch external dynamic list. No error. Using old copy for refresh.
EDL(vsys1/Dynamic_List_Talos ip) Manual Refresh job success

When I test it through the GUI it returns URL access error

The url I'm using is https://talosintelligence.com/documents/ip-blacklist

Another point that only a few days ago we started to receive the log in system Unable to fetch external dynamic list. No error. Using old copy for refresh.

was there any kind of change?

what was the solution to this problem?

Re: EDL - Talos block list

TomYoung — Sat, 24 Dec 2022 20:40:44 GMT

Hi @Adriano_R94 ,

As @SutareMayur says, I believe that the problem is that the above URL redirects to an AWS URL which is 373 characters long. The maximum size for the EDL Source field is 255, which I think is applied redirects also. To demonstrate, I pasted the AWS URL in the field below:

I solved this problem by fetching the Talos list here -> http://opendbl.net/. It has the update date. I did a quick count now on the Talos list, and it had 741 IP addresses just as OpenDBL says.

Thanks,

Tom