EDL - Talos block list

Reply
Highlighted
L1 Bithead

EDL - Talos block list

I have various EDLs setup on various different PA models. Some work, and populate the list with IP's and effectively block in security policies. However,  for Cisco Talos block list, it just will not work:

 

http://www.talosintelligence.com/feeds/ip-filter.blf

 

It won't populate the list at all when I request to see the list I get:

 

vsys1/Cisco Talos IP Black List:
Next update at : Tue Sep 19 02:08:23 2017
Source : https://www.talosintelligence.com/feeds/ip-filter.blf
Referenced : Yes
Valid : Yes

Auth Valid: Yes
Total invalid entries : 1
Valid ips:

No error

 

Service route is set, as other EDLs work fine. All I can think is that this Talos URL resolves to an Amazon AWS address. It still won't work if I tinyurl that AWS address, and add that as the EDL. 

 

L2 Linker

Re: EDL - Talos block list

Had same issue, try changing URL in EDL to https://talosintelligence.com/documents/ip-blacklist   and in CLI run  

 

request system external-list refresh type ip name "Cisco Talos IP Black List"

 

Give it a second, then try 

 

request system external-list show type ip name "Cisco Talos IP Black List"    

 

post results. 

 

 

L2 Linker

Re: EDL - Talos block list

Assuming you're running Windows, here's a quick and dirty powershell script I just wrote to download the list for internal hosting. It gets the content, dumps it to CSV file without headers, which I found I had to do otherwise if I just dumped it to a text file, it was one compelte stream of text without any carriage returns, instead of seperate IP addresses. Throw that file on an internally hosted website dedicated for hosting firewall blacklists, and use IP restrictions so only your firewall can pull the data. I also do this for IP addresses I want blocked for longer than the built in max of one hour. 

 

Try not to run the script more than once per hour once it's working so they don't temporarilly block you. Change the foldername to the name of the site in IIS. 

 

 

 

 

 

$talos = 'C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talosTemp.csv'
Invoke-WebRequest -uri https://talosintelligence.com/documents/ip-blacklist -OutFile C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talosTemp.csv
if((gc $talos | Measure-Object).count -gt 100){
gc -path $talos | Out-File C:\inetpub\wwwroot\NAMEOFINTERNALWEBSITE\talos.txt -Force -ErrorAction SilentlyContinue -Encoding ascii
}

 

 

 

 This is very rudamentary, but it is working for me so far. 

 

 

EDIT: forgot to add the ascii encoding, feel free to tweak it how you see fit, add more conditional logic as needed, that measure-object is just there to make sure the file isn't empty. 

L5 Sessionator

Re: EDL - Talos block list

You might want to give MineMeld a try. Either the community version or the AutoFocus hosted one would do the job.

 

Deatails on how to mine this list at https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Talos-Blacklist/td-p/190671/jump-to/first-...

L4 Transporter

Re: EDL - Talos block list

EDL download by firewall only works if the web server which hosts the file allows TLS1.0 connections. The firewall does not support higher TLS versions for EDL downloads.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!