https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195181#M97611 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/6710">@xhoms</a>, That helped.</P><P>One more thing, i was able to follow this <A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Customizing-Prototypes/ta-p/72045" target="_self">customizing minemeld article</A> to copy and create a new miner in cli. But i also saw another article which shows a way of doing it in <A href="https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Talos-Blacklist/m-p/190671#M1737" target="_self">GUI</A>,&nbsp;would you know how.</P> Mon, 15 Jan 2018 17:14:32 GMT raji_toor 2018-01-15T17:14:32Z https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/194991#M97609 <P>I am trying out minemeld and <SPAN>I started by adding miner (zeustracker.badips) and</SPAN>&nbsp;removing the default dshield and spam nodes. Before removal inbound feeds were showing subnet ranges/indicators.&nbsp;After removal there is not a single ip. processor shows RX count and PROCESSED count but output is all zero. Am i doing something wrong?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Jan 2018 18:56:59 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/194991#M97609 raji_toor 2018-01-12T18:56:59Z https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195045#M97610 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>,</P> <P>&nbsp;</P> <P>you're facing an 'inbound' vs 'outbount' situation. Some threat intel feeds provide you with an attribute attached to the indicators meant to describe whether you should not connect to these IP's (outbound) or you should not accept connections from these IP's (inbound).</P> <P>&nbsp;</P> <P>The dafault config include miners that attach the 'inbound' attribute to the indicators and an aggregator that enforces it. The following capture shows you the aggregator prototype: it accepts indicators of type IPv4 with attribute 'inbound' or 'null' and discards everything else.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2018-01-13_09-37-34.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13215iD4A265DF08ED5E87/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="2018-01-13_09-37-34.png" alt="2018-01-13_09-37-34.png" /></span></P> <P>&nbsp;</P> <P>Now take a look to the Zeus Bad IP Prototype.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2018-01-13_09-40-32.png" style="width: 577px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13216i376E3BAFB0028554/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018-01-13_09-40-32.png" alt="2018-01-13_09-40-32.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As you can see, nodes based in this prototype will attach the outbound attribute to received indicators. And that will make the aggregator to discard them. If you take a look to the aggregator logs you'll find the discard action.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2018-01-13_09-43-37.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13217iA2E9D04584B73BB3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2018-01-13_09-43-37.png" alt="2018-01-13_09-43-37.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You have many options:</P> <UL> <LI>Create a new prototype out of stdlib.aggregatorIPv4Inbound but removing the direction filter criteria (just accept type == 'IPv4')</LI> <LI>Just use the aggregator stdlib.aggregatorIPv4Generic that is, in fact, what you'll achieve following the previous suggestion.</LI> <LI>Create a new miner prototype out of zeustracker.badips but removing the direction attribute. That will make the indicators match because of the accep direction == 'null' filter action.</LI> </UL> Sat, 13 Jan 2018 08:51:15 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195045#M97610 xhoms 2018-01-13T08:51:15Z https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195181#M97611 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/6710">@xhoms</a>, That helped.</P><P>One more thing, i was able to follow this <A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Customizing-Prototypes/ta-p/72045" target="_self">customizing minemeld article</A> to copy and create a new miner in cli. But i also saw another article which shows a way of doing it in <A href="https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Talos-Blacklist/m-p/190671#M1737" target="_self">GUI</A>,&nbsp;would you know how.</P> Mon, 15 Jan 2018 17:14:32 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195181#M97611 raji_toor 2018-01-15T17:14:32Z https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195183#M97612 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>, follow examples like the Step 3 in the article <A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-generate-IP-lists-from-wildcards/ta-p/186213" target="_self">MineMeld-Articles/Using-MineMeld-to-generate-IP-lists-from-wildcards</A> to discover how to create new prototypes using the WEB UI</P> Mon, 15 Jan 2018 18:47:19 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-indicators-in-inboundfeed/m-p/195183#M97612 xhoms 2018-01-15T18:47:19Z