https://live.paloaltonetworks.com/t5/general-topics/minemeld-speedtest-net-host-mining/m-p/212384#M97878 <P>Hi all,</P> <P>&nbsp;</P> <P>I&nbsp;managed to install MineMeld on-prem and are playing around with it now. As a first task I'd like to setup a domain feed delivering SpeedTest.net hosts from countries we deployed Palo Alto firewalls.</P> <P>&nbsp;</P> <P>Setting up the miner, a domain aggregator and an output worked, no problem there. We download the full hosts list from <A href="http://c.speedtest.net/speedtest-servers-static.php" target="_blank">http://c.speedtest.net/speedtest-servers-static.php</A> and pass it through to an output feed. However, I don't need all the 7k+ hosts mined. Only those with specific two-digit country codes, such as "CH" or "US". That information is also present in the mined XML file and&nbsp;I tried to&nbsp;fetch this information using "fields" in the input config (field 'countrycode'):</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">age_out:</FONT><BR /><FONT face="courier new,courier">&nbsp; default: null</FONT><BR /><FONT face="courier new,courier">&nbsp; interval: 631</FONT><BR /><FONT face="courier new,courier">&nbsp; sudden_death: true</FONT><BR /><FONT face="courier new,courier">attributes:</FONT><BR /><FONT face="courier new,courier">&nbsp; confidence: 100</FONT><BR /><FONT face="courier new,courier">&nbsp; direction: inbound</FONT><BR /><FONT face="courier new,courier">&nbsp; share_level: green</FONT><BR /><FONT face="courier new,courier">&nbsp; type: domain</FONT><BR /><FONT face="courier new,courier">fields:</FONT><BR /><FONT face="courier new,courier">&nbsp; country:&nbsp;</FONT></P> <P><FONT face="courier new,courier">&nbsp; &nbsp; regex: country="([\w\s]*)"</FONT><BR /> <FONT face="courier new,courier">&nbsp; &nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">&nbsp; countrycode:</FONT><BR /><FONT face="courier new,courier">&nbsp; &nbsp; regex: cc="(\w){2}"</FONT><BR /><FONT face="courier new,courier">&nbsp; &nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">ignore_regex: ^\&lt;settings\&gt;|^\&lt;servers\&gt;</FONT><BR /><FONT face="courier new,courier">indicator:</FONT><BR /><FONT face="courier new,courier">&nbsp; regex: host="(.*):8080"</FONT><BR /><FONT face="courier new,courier">&nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">interval: 3307</FONT><BR /><FONT face="courier new,courier">source_name: speedtest.hosts</FONT><BR /><FONT face="courier new,courier">url: <A href="http://c.speedtest.net/speedtest-servers-static.php" target="_blank">http://c.speedtest.net/speedtest-servers-static.php</A></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Now I want to filter for this 'countrycode' field in the output node and created a new prototype for this (condition #2):</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif"><FONT face="courier new,courier">infilters:</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - accept</FONT><BR /><FONT face="courier new,courier"> conditions:</FONT><BR /><FONT face="courier new,courier"> - __method == 'withdraw'</FONT><BR /><FONT face="courier new,courier"> name: accept withdraws</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - accept</FONT><BR /><FONT face="courier new,courier"> conditions:</FONT><BR /><FONT face="courier new,courier"> - countrycode == 'CH'</FONT><BR /><FONT face="courier new,courier"> - share_level == 'green'</FONT><BR /><FONT face="courier new,courier"> name: accept share level green</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - drop</FONT><BR /><FONT face="courier new,courier"> name: drop all</FONT><BR /></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Result: 0 indicators in that output feed. Thanks for any hints on this. I'd like to avoid creating a miner for every country.</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Thanks,</FONT></P> <P><FONT face="arial,helvetica,sans-serif">Oliver</FONT></P> Tue, 01 May 2018 07:39:34 GMT oschuler 2018-05-01T07:39:34Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-speedtest-net-host-mining/m-p/212384#M97878 <P>Hi all,</P> <P>&nbsp;</P> <P>I&nbsp;managed to install MineMeld on-prem and are playing around with it now. As a first task I'd like to setup a domain feed delivering SpeedTest.net hosts from countries we deployed Palo Alto firewalls.</P> <P>&nbsp;</P> <P>Setting up the miner, a domain aggregator and an output worked, no problem there. We download the full hosts list from <A href="http://c.speedtest.net/speedtest-servers-static.php" target="_blank">http://c.speedtest.net/speedtest-servers-static.php</A> and pass it through to an output feed. However, I don't need all the 7k+ hosts mined. Only those with specific two-digit country codes, such as "CH" or "US". That information is also present in the mined XML file and&nbsp;I tried to&nbsp;fetch this information using "fields" in the input config (field 'countrycode'):</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">age_out:</FONT><BR /><FONT face="courier new,courier">&nbsp; default: null</FONT><BR /><FONT face="courier new,courier">&nbsp; interval: 631</FONT><BR /><FONT face="courier new,courier">&nbsp; sudden_death: true</FONT><BR /><FONT face="courier new,courier">attributes:</FONT><BR /><FONT face="courier new,courier">&nbsp; confidence: 100</FONT><BR /><FONT face="courier new,courier">&nbsp; direction: inbound</FONT><BR /><FONT face="courier new,courier">&nbsp; share_level: green</FONT><BR /><FONT face="courier new,courier">&nbsp; type: domain</FONT><BR /><FONT face="courier new,courier">fields:</FONT><BR /><FONT face="courier new,courier">&nbsp; country:&nbsp;</FONT></P> <P><FONT face="courier new,courier">&nbsp; &nbsp; regex: country="([\w\s]*)"</FONT><BR /> <FONT face="courier new,courier">&nbsp; &nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">&nbsp; countrycode:</FONT><BR /><FONT face="courier new,courier">&nbsp; &nbsp; regex: cc="(\w){2}"</FONT><BR /><FONT face="courier new,courier">&nbsp; &nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">ignore_regex: ^\&lt;settings\&gt;|^\&lt;servers\&gt;</FONT><BR /><FONT face="courier new,courier">indicator:</FONT><BR /><FONT face="courier new,courier">&nbsp; regex: host="(.*):8080"</FONT><BR /><FONT face="courier new,courier">&nbsp; transform: \1</FONT><BR /><FONT face="courier new,courier">interval: 3307</FONT><BR /><FONT face="courier new,courier">source_name: speedtest.hosts</FONT><BR /><FONT face="courier new,courier">url: <A href="http://c.speedtest.net/speedtest-servers-static.php" target="_blank">http://c.speedtest.net/speedtest-servers-static.php</A></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Now I want to filter for this 'countrycode' field in the output node and created a new prototype for this (condition #2):</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif"><FONT face="courier new,courier">infilters:</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - accept</FONT><BR /><FONT face="courier new,courier"> conditions:</FONT><BR /><FONT face="courier new,courier"> - __method == 'withdraw'</FONT><BR /><FONT face="courier new,courier"> name: accept withdraws</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - accept</FONT><BR /><FONT face="courier new,courier"> conditions:</FONT><BR /><FONT face="courier new,courier"> - countrycode == 'CH'</FONT><BR /><FONT face="courier new,courier"> - share_level == 'green'</FONT><BR /><FONT face="courier new,courier"> name: accept share level green</FONT><BR /><FONT face="courier new,courier">- actions:</FONT><BR /><FONT face="courier new,courier"> - drop</FONT><BR /><FONT face="courier new,courier"> name: drop all</FONT><BR /></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Result: 0 indicators in that output feed. Thanks for any hints on this. I'd like to avoid creating a miner for every country.</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Thanks,</FONT></P> <P><FONT face="arial,helvetica,sans-serif">Oliver</FONT></P> Tue, 01 May 2018 07:39:34 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-speedtest-net-host-mining/m-p/212384#M97878 oschuler 2018-05-01T07:39:34Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-speedtest-net-host-mining/m-p/212957#M97879 <P>Implemented the following solution now. Filtering all the countries we need directly in the input node. However, it&nbsp;could be desirable to filter the output instead of input.</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">age_out:</FONT><BR /><FONT face="courier new,courier"> default: null</FONT><BR /><FONT face="courier new,courier"> interval: last_seen+900</FONT><BR /><FONT face="courier new,courier"> sudden_death: true</FONT><BR /><FONT face="courier new,courier">attributes:</FONT><BR /><FONT face="courier new,courier"> confidence: 100</FONT><BR /><FONT face="courier new,courier"> direction: inbound</FONT><BR /><FONT face="courier new,courier"> share_level: green</FONT><BR /><FONT face="courier new,courier"> type: domain</FONT><BR /><FONT face="courier new,courier">ignore_regex: ^\&lt;settings\&gt;|^\&lt;servers\&gt;</FONT><BR /><FONT face="courier new,courier">indicator:</FONT><BR /><FONT face="courier new,courier"> regex: cc="(CH|US|&lt;some more countries&gt;)".*host="(.*):8080"</FONT><BR /><FONT face="courier new,courier"> transform: \2</FONT><BR /><FONT face="courier new,courier">interval: 86400</FONT><BR /><FONT face="courier new,courier">source_name: speedtest.hosts</FONT><BR /><FONT face="courier new,courier">url: <A href="http://c.speedtest.net/speedtest-servers-static.php" target="_blank">http://c.speedtest.net/speedtest-servers-static.php</A></FONT></P> Thu, 03 May 2018 14:26:26 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-speedtest-net-host-mining/m-p/212957#M97879 oschuler 2018-05-03T14:26:26Z