RSS Feed is not fetching details for Red Packet Security

[Mr-AnyThink]

Description

RSS Feed is not fetching details for Red Packet Security. I suspect it is due Cloudflare, but I can access it from system

Environment

1. OS => Ubuntu 22.04.5 LTS
2. OpenCTI version: 6.3.10

Reproducible Steps

Configure RSS Feed
https://www.redpacketsecurity.com/feed/

[nino-filigran]

Potentially similar to: #8736

[Mr-AnyThink]

@nino-filigran , I check for daily darkweb from given issue and it is working from me. I noticed there is no cloudflare verification for the feed https://dailydarkweb.net/feed/

[Mr-AnyThink]

Security Week is not working. Is it possible to share details where I can see logs so that I can provide it for more insights?

[Mr-AnyThink]

I used "curl -I https://www.redpacketsecurity.com/feed/" and below is the output,

HTTP/2 403
date: Tue, 12 Nov 2024 09:04:10 GMT
content-type: text/html; charset=UTF-8
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
x-content-options: nosniff
cf-mitigated: challenge
cf-chl-out: a+Vvb8fdTwlWLxeabAJRyw/3eFEOXBu3SBjGc/b9SC8pEXQZR7AuuuJjd1ayjbiCtUNWd7+N6eD67fOOT601TZRmTD8jGILMulUfNhJi0EvTDvtQOsaS7Lf8j7ugIKqIO5ARqyPrMoRb5c7OXAkRCA==$J/KoPynY0ZSgJCYqR8vw7g==
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=2qcJsX7nfRpxKd3N%2FmvCcf0iqUymhd8WLV7RiJ8MmwvZ7TTyAsQXXnBBHyCQ3JiafsjT4NHftEyftYNofYwXfODHqKaMWvbMBzK5jjn4%2B67ShNizDCl0IkueIm3%2BZMVqepPUjTC902UhxK0%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
expect-ct: max-age=86400, enforce
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
server: cloudflare
cf-ray: 8e155a6079f83aec-BOM
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=7910&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3453&recv_bytes=838&delivery_rate=337315&cwnd=247&unsent_bytes=0&cid=4933a8e7f547be5b&ts=36&x=0"

The 403 response and the "cf-mitigated: challenge" header indicate that Cloudflare is blocking requests to the RSS feed. This challenge is likely being triggered by Cloudflare’s security settings on Red Packet Security’s website, which could be due to traffic coming from automated tools or unfamiliar IP addresses.

[romain-filigran]

I have not been able to reproduce the problem with redpacketsecurity. The RSS feed is correctly ingested. But I confirm that is not possible to ingest SecurityWeek Feed but I think that the problem is not related to OpenCTI as it's not also possible to ingest it through Google FeedBurner

[Mr-AnyThink]

Is there anything that I need to change? I have many other RSS feeds which are working fine, but for redpacketsecurity, it is causing issue. I am getting 403 error. I removed and added again but facing same issue

[JeremyCloarec]

Hello @Mr-AnyThink ! Unfortunately, as you commented on your curl request, it looks like an error coming from the Cloudflare configuration on redpacketsecurity's end.
We will be closing this issue, as there is no proper way on our side to fix accessing a feed protected by Cloudflare.
When that happens, the best course of action is to contact the author of the feed to inform them that their Cloudflare configuration seems incorrect