topic Re: Minemeld static url/ipv4/md5 list in General Topics

Minemeld static url/ipv4/md5 list

porq91 — Sat, 28 May 2022 08:02:00 GMT

Hi everyone,

we have installed minemeld in our facility and it's great, but we are having trouble implementing a solution that takes lists internally, our current goal is to update the list manually based on the ipv4 / url we get from our security team. Is there any guide that explains how this can be done?

Thanks ,

Angelo.

Re: Minemeld static url/ipv4/md5 list

aleksandar.astardzhiev — Sat, 28 May 2022 14:34:46 GMT

Hi @porq91 ,

To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platform/ta-p/174690/jump-to/first-unread-message

Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.

Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above

LocalDB miner

Purpose: Miner using prototype localDB allow to import indicators that are stored locally on the MineMeld. Those indicators are than parsed in format suitable for PAN FW EDL consumption
Steps to create:

Find build-in prototype "stdlib.localDB" and create new copy

Since this prototype is in experimental state, we need to edit the shared level, so we can use standard output node to consume the indicators. Note here we can modify the default age_out value. Unfortunately, currently there is a bug for this typo (if age_out is modified when adding new indicator all current are removed)

Using the new prototype create miner node

Create output node using standard prototype and select as input the localdb node created earlier and commit the changes

To add indicator to the list you need to send POST request with following details:

URL: https://my-minemeld.local/config/data/XXXXXXXX-bad-domain_indicators/append?h=XXXXXXXX-bad-domain&t=localdb (highlighted string needs to correspond the miner node name you created above)
Credentials: MineMeld admin account credentials are required (currently MineMeld doesn't support RBAC)
Data must be in JSON format (send header Content-Type: application/json) as follow:

{

"indicator": "bad.example.com",

"type": "domain",

"comment": "Phishing domain",

"share_level": "green",

"confidence": 100,

"ttl": "disable"

}

Indicator - contain the suspicious domain

Type - must be set to domain (other options are IPv4, URL, hash)

Comment - Optional, but good practice to keep track for the reason why this domain was added

Share_level, Confidence - Optional, used for filtering internally in MineMeld

TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully

Re: Minemeld static url/ipv4/md5 list

porq91 — Sat, 28 May 2022 18:08:44 GMT

Thanks @aleksandar.astardzhiev, much appreciated.

However I have a couple of concerns:

First, the url https://my-minemeld.local, should my-minemeld.local be replaced with the ip of the machine that hosts minemeld?

Second of all, I have no idea how to do the POST request you recommended.

Excuse the stupid question but this is the first time I have worked on this kind of application.

Re: Minemeld static url/ipv4/md5 list

aleksandar.astardzhiev — Sat, 28 May 2022 18:30:40 GMT

Hi @porq91 ,

- Yes my-minemeld.com is just an example, which you need to replace with the hostname/ip address of your own MineMeld. Same goes for "XXXXXXXX-bad-domain" - you need to replace that as well with the name you use in your config

- I ment HTTP POST request - if you look at the link, somewhere around the end of the post there is "Annex 2" which is explaining how you can send API request to add/remove new indicators to the list. What I forgot to mention is that you can add/remove indicators manually through MineMeld GUI - go to Nodes -> Click on your localDB miner, there will be additional tab listing all current indicators and allowing you add or remove

Adding indicators via the GUI could be tidious, especially if you need to add bulk of indicators. In addition you can have somekind of automation that could benefit from the API and add/remove indicators using the explained API POST requests.

Re: Minemeld static url/ipv4/md5 list

porq91 — Sat, 28 May 2022 20:07:49 GMT

Work greatly,

just last thing, if i wanted to add multiple ip's at once is this the right format?

because in this way it does not add all the ip's

curl --insecure -XPOST -H "Content-Type: application/json" -u admin:minemeld "https://10.0.0.4/config/data/node-bad-domain_indicators/append?h=node-bad-domain&t=localdb" -d '
{
"indicator": "8.8.8.8",
"indicator": "8.8.8.2",
"indicator": "1.1.21.1",
"indicator": "1.1.51.1",
"indicator": "1.15.1.1",
"indicator": "1.6.1.1",
"indicator": "1.1.2.1",
"indicator": "1.1.3.1",
"indicator": "1.4.1.1",
"indicator": "2.1.1.1",
"type": "IPv4",
"comment": "usual Google DNS Public IP",
"share_level": "green",
"confidence": 100,
"ttl": 3600
}'

Re: Minemeld static url/ipv4/md5 list

aleksandar.astardzhiev — Sun, 29 May 2022 08:47:55 GMT

Hi @porq91 ,

I don't believe you can add multiple indicators with single API call... My approach for adding bulk of indicators when creating localdb for the first time was "quick and dirty" bash scripting - reading from a file each entry on new line, with for loop repeating the curl command for each indicator.

Re: Minemeld static url/ipv4/md5 list

porq91 — Mon, 30 May 2022 15:27:32 GMT

Thanks a lot dude, very helpful.😘