https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/194285#M97602 <P>&gt;&gt;&nbsp;<SPAN>whitelist some IPs from the indicators extraced from syslog?</SPAN></P> <P>While not excluding them at the time of extract.&nbsp; Not all feeds should have these whitelist entries excluded from their final output.</P> Mon, 08 Jan 2018 15:44:28 GMT EdwinD 2018-01-08T15:44:28Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192646#M97597 <P>I have various miners.&nbsp; &nbsp;Various miners are connected to various aggregators which are inturn connected in various ways to different types of output.</P> <P>&nbsp;</P> <P>Some of these miners receive RFC1918 IPv4 indicators.&nbsp; &nbsp;These are aggregated and send to outputs.&nbsp; &nbsp;I'm attempted to have one output which will contain these RFC1918 addresses while another does not.&nbsp; &nbsp;</P> <P>&nbsp;</P> <P>I've created a new prototype based off of&nbsp;<SPAN>minemeld.ft.redis.RedisSet accepting only indicator types IPv4.&nbsp; &nbsp;The config includes this:</SPAN></P> <P><SPAN>store_value: true<BR />whitelist_prefixes:<BR />- wl<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>I cloned it and pointed it to clone of processor stdlib.aggregatorIPv4Outbound.&nbsp; &nbsp;The input for this processor includes my wlWhiteListIPv4 as well as my miner.&nbsp; This wlWhiteListIPv4 node has manual indicators which include RFC1918 CIDR blocks along with one IP address (for testing.)&nbsp; &nbsp;This, it includes 10.0.0.0/8 as well as a single host within that range.&nbsp;&nbsp;</SPAN>It appears to me that while the single host works in this case, the CIDR does not.&nbsp;&nbsp;&nbsp;With two nearly identical outputs configured where&nbsp;one is&nbsp; using the whitelist and another not, I see this single host&nbsp;only in the later output.&nbsp; &nbsp;However, other hosts in the 10.0.0.0/8 CIDR are in both.&nbsp; &nbsp;&nbsp;</P> <P>&nbsp;</P> <P>How do I go about adding a miner with CIDRs as a whitelist to an output node?&nbsp; &nbsp; While in my example above I'm talking about RFC1918 addresses, there are additional cases where I want to exclude from certain output nodes the ranges collected from a miner.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Dec 2017 01:39:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192646#M97597 EdwinD 2017-12-21T01:39:15Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192740#M97598 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23926">@EdwinD</a> : It is working in my case. Are you using a miner based on the 'localdb.Miner' to host the RFC1928 CIDR ranges?</P> Thu, 21 Dec 2017 16:11:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192740#M97598 xhoms 2017-12-21T16:11:34Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192946#M97599 <P>No, although I do have a WildFireEvent miner cloned from localDB as per the article "<SPAN>Using-MineMeld-as-a-Incident-Response-Platform".&nbsp; &nbsp;Is localDB what I should be using?&nbsp; &nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="col-sm-12 col-md-12">&nbsp;</DIV> Fri, 22 Dec 2017 23:07:29 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192946#M97599 EdwinD 2017-12-22T23:07:29Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192949#M97600 <P>I believe I see what I had wrong.&nbsp; &nbsp; Because I hwave whitelist_prefixes set to wl, the processor name itself must also begin with wl.&nbsp; I had only named the miner begining with wl.</P> <P>&nbsp;</P> <P>So, I configured a processor with a name begining with wl and bound it to two inputs, the wl miner containing my RFC1918 addresses along with my syslog+7 days miner.&nbsp; This worked.&nbsp; &nbsp;Within this same config I have an identical processer with the exception of the name, it does not start with wl.&nbsp; The output node is identical except it points to this processor.&nbsp; This one has the RFC1918 addresses.&nbsp; &nbsp;The point being that with only the name of the processor changing I can see the whitelist working.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I think the following is the relevant config.&nbsp; &nbsp;I have 300+&nbsp; lines in the config ATM, so I'm not posting it all.</P> <P>&nbsp;</P> <P>The end result in this case is that I have PanOS syslog output feeding into MineMeld while whitelisting RFC1918 addresses.&nbsp; Longer term I could use external dynamic IPv4 lists, such as a list of CloudFlare addresses,&nbsp; as a feed into a whitelist that I aggregate against the PanOS syslog entries to generate output feeds that I can use in specific dynamic PanOS firewall rules.&nbsp; After enough hits from an IP, if it isn't on a known list, completely block that IP at every&nbsp;firewall at all locations for a period of time.&nbsp; This is just one example of many I'm considering.</P> <P>&nbsp;</P> <PRE> syslogMiner7Days: inputs: [] output: true prototype: minemeldlocal.syslogMiner7Days aggregatorIPv4GenericStaticWhiteList: inputs: - wlWhiteListIPv4 output: true prototype: stdlib.aggregatorIPv4Generic wlWhiteListIPv4: inputs: [] output: true prototype: stdlib.listIPv4Generic localSyslog7Days: inputs: - syslogMiner7Days - wlWhiteListIPv4 output: true prototype: stdlib.localSyslog wlListIPv4Generic-testingWhiteList20171222b: inputs: - wlWhiteListIPv4 - syslogMiner7Days output: true prototype: stdlib.aggregatorIPv4Generic feedIPv4TestingWhiteList: inputs: - wlListIPv4Generic-testingWhiteList20171222b output: false prototype: minemeldlocal.feedIPv4TestingWhiteList</PRE> <P>&nbsp;&nbsp;</P> Sat, 23 Dec 2017 01:55:08 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/192949#M97600 EdwinD 2017-12-23T01:55:08Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/193057#M97601 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23926">@EdwinD</a>,</P> <P>are you trying to create a feed out of MineMeld to be used as whitelist? or would you like to whitelist some IPs from the indicators extraced from syslog?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> <P>&nbsp;</P> Tue, 26 Dec 2017 08:02:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/193057#M97601 lmori 2017-12-26T08:02:17Z https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/194285#M97602 <P>&gt;&gt;&nbsp;<SPAN>whitelist some IPs from the indicators extraced from syslog?</SPAN></P> <P>While not excluding them at the time of extract.&nbsp; Not all feeds should have these whitelist entries excluded from their final output.</P> Mon, 08 Jan 2018 15:44:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-does-one-create-an-output-filter-to-exclude-ipv4-indicators/m-p/194285#M97602 EdwinD 2018-01-08T15:44:28Z