https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/395756#M95218 <P>Apologies if this question has been asked before, I searched the board but couldn't see anything that stood out</P> <P>&nbsp;</P> <P>I'm consuming the SANS/IRC list of IP addresses attributed to Internet Security Researchers, in an attempt to cut-down on false-positive threat alerts in customer networks. The Miner I wrote works fine, and pulls down about ~6700 IP addresses.</P> <P>&nbsp;</P> <P>When passed into a Processor (Cloned from 'stdlib.aggregatorIPv4Generic', and of the same class '<SPAN>minemeld.ft.ipop.AggregateIPv4FT') all addresses are getting sent to an output. </SPAN></P> <P>&nbsp;</P> <P><SPAN>The problem is that because the list is gathered automatically, it has one IP per-line. Example;</SPAN></P> <P><SPAN>102.165.30.0-102.165.30.0<BR />102.165.30.1-102.165.30.1<BR /></SPAN></P> <P><SPAN>102.165.30.2-102.165.30.2</SPAN></P> <P><SPAN>102.165.30.3-102.165.30.3</SPAN></P> <P><SPAN>...</SPAN></P> <P><SPAN>102.165.30.255-102.165.30.255</SPAN></P> <P>&nbsp;</P> <P><SPAN>I feel that added ~6700 entries into an EDL will be unneccessarily taxing on the firewall. </SPAN></P> <P><SPAN>Since I'm putting in a top-level firewall rule to 'drop' packets coming from these IPs, the firewall will have to match the incoming packets IP to all ~6700 possibilities - whereas if I could consolidate the IPs (for example the above consolidates into 102.165.30.0/24) then the number of matches greatly decreases</SPAN></P> <P>&nbsp;</P> <P><SPAN>I realise that 'aggregator' in the Processors name refers to the ability to 'aggregate' from multiple miners into one processor. But is there an ability to aggregate (/consolidate) IP addresses inside a Processor?</SPAN></P> <P>&nbsp;</P> <P>If this can't be done in Minemeld, then I may have to write a Python parser to pull down the list and consolidate manually - but at that point Minemeld becomes irrelevant, as if I'm hosting the output of the Python script somewhere I can just point the firewall to that instead</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 05 Apr 2021 08:58:50 GMT sam_miller 2021-04-05T08:58:50Z https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/395756#M95218 <P>Apologies if this question has been asked before, I searched the board but couldn't see anything that stood out</P> <P>&nbsp;</P> <P>I'm consuming the SANS/IRC list of IP addresses attributed to Internet Security Researchers, in an attempt to cut-down on false-positive threat alerts in customer networks. The Miner I wrote works fine, and pulls down about ~6700 IP addresses.</P> <P>&nbsp;</P> <P>When passed into a Processor (Cloned from 'stdlib.aggregatorIPv4Generic', and of the same class '<SPAN>minemeld.ft.ipop.AggregateIPv4FT') all addresses are getting sent to an output. </SPAN></P> <P>&nbsp;</P> <P><SPAN>The problem is that because the list is gathered automatically, it has one IP per-line. Example;</SPAN></P> <P><SPAN>102.165.30.0-102.165.30.0<BR />102.165.30.1-102.165.30.1<BR /></SPAN></P> <P><SPAN>102.165.30.2-102.165.30.2</SPAN></P> <P><SPAN>102.165.30.3-102.165.30.3</SPAN></P> <P><SPAN>...</SPAN></P> <P><SPAN>102.165.30.255-102.165.30.255</SPAN></P> <P>&nbsp;</P> <P><SPAN>I feel that added ~6700 entries into an EDL will be unneccessarily taxing on the firewall. </SPAN></P> <P><SPAN>Since I'm putting in a top-level firewall rule to 'drop' packets coming from these IPs, the firewall will have to match the incoming packets IP to all ~6700 possibilities - whereas if I could consolidate the IPs (for example the above consolidates into 102.165.30.0/24) then the number of matches greatly decreases</SPAN></P> <P>&nbsp;</P> <P><SPAN>I realise that 'aggregator' in the Processors name refers to the ability to 'aggregate' from multiple miners into one processor. But is there an ability to aggregate (/consolidate) IP addresses inside a Processor?</SPAN></P> <P>&nbsp;</P> <P>If this can't be done in Minemeld, then I may have to write a Python parser to pull down the list and consolidate manually - but at that point Minemeld becomes irrelevant, as if I'm hosting the output of the Python script somewhere I can just point the firewall to that instead</P> <P>&nbsp;</P> <P>Thanks</P> Mon, 05 Apr 2021 08:58:50 GMT https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/395756#M95218 sam_miller 2021-04-05T08:58:50Z https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/410124#M95219 <P>Have you checked out this form Lmori, in <A href="https://live.paloaltonetworks.com/t5/minemeld-discussions/miner-to-collect-aws-ip/td-p/75925" target="_blank">https://live.paloaltonetworks.com/t5/minemeld-discussions/miner-to-collect-aws-ip/td-p/75925</A></P> <DIV id="bodyDisplay_7" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>Yes, add&nbsp;use the following format for the URL feed:</P> <P>https://&lt;minemeld&gt;/feeds/&lt;aws feed&gt;?tr=1</P> <P>&nbsp;</P> <P>See here for additional details:</P> <P><A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170</A></P> </DIV> </DIV> Mon, 31 May 2021 09:13:46 GMT https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/410124#M95219 Dereje 2021-05-31T09:13:46Z https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/410185#M95220 <P>Hi Dereje</P> <P>&nbsp;</P> <P>Thanks for the link, that's useful info</P> <P>Unfortunately ?tr=1 won't consolidate subnets, it justr translates each line</P> <P>&nbsp;</P> <P>So</P> <PRE>102.165.30.0-102.165.30.0 102.165.30.1-102.165.30.1 102.165.30.10-102.165.30.10</PRE> <P>Becomes</P> <PRE>102.165.30.0 102.165.30.1 102.165.30.10</PRE> <P>&nbsp;</P> <P>Appreciate the reply though</P> Mon, 31 May 2021 16:22:56 GMT https://live.paloaltonetworks.com/t5/general-topics/consolidating-or-aggregating-ip-addresses-in-processor/m-p/410185#M95220 sam_miller 2021-05-31T16:22:56Z