Customers and students always ask me how to see what is in the Firepower objects updated by the Cisco feed, so this blog will show you how to find this information.
Security Intelligence is an object category that contains three different types of objects. These are:
You can find and manage all the feeds in the Objects page:
The Objects are implemented in the Access Control Policy under the Security Intelligence tab:
Finding the IP addresses in the for the Network Lists and Feeds objects
Nicely, this one is pretty easy. Go to Talosintelligence.com and click on Reputation Center and then IP Blacklist Download
The huge list of IP’s in the Network objects will appear. Now press CNTL-A and then CNTL-C.
Open Notepad on your desktop and then press CNTL-V and the list will populate into your Notepad; save the file.
Now you can just use those IP’s to test your SI lists by pasting these IP’s into a browser from an inside host.
Finding the URL and DNS addresses in the URL and DNS Lists and Feeds objects
Inside the ACP Security Intelligence tab, you can hover over one of the Network, DNS or URL categories. A pop up will indicate how many entries are currently in this category.
That’s great, but what about the actual entries in each of these objects?
To find these you must SSH to either a FTD device or the FMC. You will find the three types of security intelligence entries in the following three locations:
- Network– /var/sf/iprep_download
- DNS– /var/sf/sidns_download
- URL– /var/sf/siurl_download
Here you will find separate text files for each security intelligence category. You will also find text files for any of your custom feeds as well.
Here is an example of finding the DNS feed file by using: cd /var/sf/sidns_download and then listing the files using ls
The files have unrecognizable UUID (Universally Unique IDentifier) names but if you use cat, head or tail to look at their contents you will see they are simply text files. Each one contains the name of the list as a comment in the first line.
Using this technique you can find out the contents of any of the security intelligence download files for each of the three categories. One huge caveat however, these files are updated frequently. Depending on the update frequency you have selected, an entry that was here 5 minutes ago may be gone now. If you’re trying to troubleshoot an issue or predict whether a given IP, domain or URL will be blocked this may not be a viable technique.