topic Re: Miner for Google IP Address in General Topics

Miner for Google IP Address

FabianB — Fri, 06 Nov 2020 14:59:38 GMT

Just in case anyone is looking for a miner to mine for Google IP address, here is a sample miner

Google Services Miner

age_out
default: null
interval: 257
sudden_death: true
attributes
confidence: 100
share_level: green
type: IPv4
extractor prefixes[]
indicator ipv4Prefix
prefix google
source_name google.range
url https://www.gstatic.com/ipranges/goog.json

Google Cloud Miner

age_out
default: null
interval: 257
sudden_death: true
attributes
confidence: 100
share_level: green
type: IPv4
extractor prefixes[]
indicator ipv4Prefix
prefix google
source_name google.cloud
url https://www.gstatic.com/ipranges/cloud.json

Re: Miner for Google IP Address

carysoc — Tue, 06 Apr 2021 20:42:40 GMT

I'm novice to configuring minemeld, do you have the full layout of the configuration, such as output and processor used?
any guidance is appreciated.

Thanks.

Re: Miner for Google IP Address

carysoc — Thu, 08 Apr 2021 18:21:55 GMT

Thanks. I figured it out..

Because it is a Json format i copied the existing miner prototype, aws.AMAZON, which uses the CLASS, minemeld.ft.json.SimpleJSON.

original strings are;

age_out:
default: null
interval: 257
sudden_death: true
attributes:
confidence: 100
share_level: green
type: IPv4
extractor: prefixes[?service=='AMAZON']
fields:
- region
- service
indicator: ip_prefix
prefix: aws
source_name: aws.AMAZON
url: https://ip-ranges.amazonaws.com/ip-ranges.json

****

Per the previous suggestion, I replaced the following

extractor: prefixes[] <<< changed
fields: <<< removed
- region <<< removed
- service <<< removed
indicator: ipv4Prefix <<< changed
prefix: google <<< changed
source_name: google.cloud <<< changed
url: https://www.gstatic.com/ipranges/cloud.json <<<<<< changed

As for the aggregator, I created a new prototype from stdlib.aggregatorIPv4Generic and removed the following unnecessary lines;

- actions:
- drop
name: drop all
whitelist_prefixes:
- wl

For the output, I created a new prototype from stdlib.feedHCGreen and removed the following unnecessary lines;

conditions:
- confidence > 75
- share_level == 'green'
name: accept confidence > 75 and share level green
- actions:
- drop
name: drop all

Hope this helps.

-DR