https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143524#M98738 <P>So far I'm using MineMeld to pull Dshield and Spamhaus feeds to use to block inbound connections to our&nbsp;internet facing servers.</P> <P>&nbsp;</P> <P>Whilst there are loads of miners I'd love to know which ones people have found "safe" enough to use on production inbound and outbound traffic/rules and how much of an impact it's had - with 70 or so miners to choose from I simply can't test them all <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 Feb 2017 18:36:27 GMT networkadmin 2017-02-16T18:36:27Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143524#M98738 <P>So far I'm using MineMeld to pull Dshield and Spamhaus feeds to use to block inbound connections to our&nbsp;internet facing servers.</P> <P>&nbsp;</P> <P>Whilst there are loads of miners I'd love to know which ones people have found "safe" enough to use on production inbound and outbound traffic/rules and how much of an impact it's had - with 70 or so miners to choose from I simply can't test them all <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 16 Feb 2017 18:36:27 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143524#M98738 networkadmin 2017-02-16T18:36:27Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143638#M98739 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1862">@networkadmin</a>,</P> <P>are you consuming the indicators with Palo Alto Networks NGFW ? or pushing them to a SIEM or TIP ?</P> <P>&nbsp;</P> Fri, 17 Feb 2017 14:04:43 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143638#M98739 lmori 2017-02-17T14:04:43Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143639#M98740 <P>Right now all we have is our PAN</P> Fri, 17 Feb 2017 14:13:24 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143639#M98740 networkadmin 2017-02-17T14:13:24Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143652#M98741 <P>Right now using on PAN FWs ingress filtering:</P> <P>&nbsp;</P> <UL> <LI>Team Cymru's bogon: mostly traffic from misconfigured 100.64.0.0/10</LI> <LI>Team Cymru's fullbogon: some stuff, confirmed bad (scans for known brute-forceable services)</LI> <LI>Spamhaus DROP: significant amounts of traffic, confirmed bad</LI> <LI>Spamhaus EDROP: few stuff, confirmed bad</LI> <LI>DSHIELD top 20 /24s: 1000x all the above, lots of shodan.io and research scans; it's important to understand that their authors build it for research purposes, not for blocking, so false positives are a real possibility.</LI> <LI>Openbl.org medium confidence</LI> <LI>blocklist.de: medium confidence</LI> </UL> <P>What we do is using each EDL in different positions in the Security Policy chain,&nbsp; to minimize the impact of false positives, so for example a medium or low confidence EDL impacts low priority networks (wifi, guests, dialup).</P> <P>Jan</P> <P>&nbsp;</P> Fri, 17 Feb 2017 15:01:15 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-real-world-usage-to-reduce-threats/m-p/143652#M98741 irt-unimi 2017-02-17T15:01:15Z