EDR: cbfeed_airgap.py script 409 Errors on Import
search cancel

EDR: cbfeed_airgap.py script 409 Errors on Import

book

Article ID: 287390

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Error on feed import, with either the built in script (/usr/share/cb/cbfeed_airgap) or the script found on Github :
/usr/share/cb/cbfeed_airgap import -f ./cbfeed_exports/feeds/

Importing Threat Intelligence feeds from ./cbfeed_exports/feeds/
filepath = ./cbfeed_exports/feeds/abusech.json
Failed to add feed abusech (error 409)
filepath = ./cbfeed_exports/feeds/alienvault.json
Failed to add feed alienvault (error 409)
filepath = ./cbfeed_exports/feeds/attackframework.json
Failed to add feed attackframework (error 409)
filepath = ./cbfeed_exports/feeds/Bit9AdvancedThreats.json
Failed to add feed Bit9AdvancedThreats (error 409)
filepath = ./cbfeed_exports/feeds/Bit9EarlyAccess.json
Failed to add feed Bit9EarlyAccess (error 409)
filepath = ./cbfeed_exports/feeds/Bit9EndpointVisibility.json
Failed to add feed Bit9EndpointVisibility (error 409)
filepath = ./cbfeed_exports/feeds/Bit9SuspiciousIndicators.json
Failed to add feed Bit9SuspiciousIndicators (error 409)
filepath = ./cbfeed_exports/feeds/CbCommunity.json
Failed to add feed CbCommunity (error 409)
filepath = ./cbfeed_exports/feeds/CbKnownIOCs.json
Failed to add feed CbKnownIOCs (error 409)
filepath = ./cbfeed_exports/feeds/fbthreatexchange.json
Failed to add feed fbthreatexchange (error 409)
filepath = ./cbfeed_exports/feeds/sans.json
Failed to add feed sans (error 409)
filepath = ./cbfeed_exports/feeds/ThreatConnect.json
Failed to add feed ThreatConnect (error 409)
filepath = ./cbfeed_exports/feeds/tor.json
Failed to add feed tor (error 409)

 

Environment

  • EDR Server: 7.5.0+

Resolution

To work around this issue :
  1. Open the console on the EDR server (to have the ability to access the local file system and exported feeds feeds).
  2. Click the Threat Intelligence page.
  3. Click 'Add New Feed'.
  4. In the URL field, point it to the location of your feeds individually and those will add in.
    • Format : file://tmp/airgap/cb-airgap-feed/cbfeed_exports/feeds/<feed_name>.json
    • Where feeds located here: /tmp/airgap/cb-airgap-feed/cbfeed_exports/feeds/<feed_name>.json
  5. Once those are added manually.  The cbfeed_airgap script should run and import the feeds going forward.
Powered by Wolken Software