topic Getting "engine fatal" error in Minemeld. in General Topics

Getting "engine fatal" error in Minemeld.

BobHarrison — Thu, 09 Mar 2017 22:12:16 GMT

Hi Luigi, this is in reference to ticket 00632153. Two issues here:

1. While attempting to work on issue #2, I noticed that I am getting an "engine fatal" error in Minemeld. Version is 9.34. Have restarted engine, but the issue is still there.

2. I would like to build a custom exclusion for the below Amazon IP list so that addresses are dynamically updated and can be allowed by Minemeld and an access rule in our Palo Alto that points to it. Is this possible in 9.3.4 or do I need an upgrade?

Amazon list:

https://ip-ranges.amazonaws.com/ip-ranges.json

Article you wrote about how to do this. Want to make sure that this is still the best way to do this?

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/What-s-new-in-MineMeld-0-9-9/m-p/76690#U76690

thanks for all your help!

Re: Getting "engine fatal" error in Minemeld.

lmori — Fri, 10 Mar 2017 11:01:31 GMT

Hi @BobHarrison,

there is a builtin prototype to monitor that URL aleady, it's called aws.AMAZON. There a many ways you can use this Miner, following are the 2 most common use cases:

1. Direct EDL for PAN-OS

If you want to create a feed for those AMAZON IP ranges, you can go in CONFIG > IMPORT, paste the following snippet and then press APPEND (and COMMIT :-)). You can then point PAN-OS EDL to https://<minemeld>/feeds/feedAmazonIPs.

nodes:
  amazonIPs:
    inputs: []
    output: true
    prototype: aws.AMAZON
  feedAmazonIPs:
    inputs:
      - amazonIPs
    output: false
    prototype: stdlib.feedHCGreenWithValue

2. WHITELIST in MINEMELD

If instead you would like to use those IP Ranges for whitelisting indicators directly on MineMeld you can use the following snippet:

nodes:
  wlAmazonIPs:
    inputs: []
    output: true
    prototype: aws.AMAZON

This will create a Miner for AMAZON IPs that you can connect to IPv4 aggregators to automatically remove Amazon IPs from the feeds. The trick here is the "wl" prefix in the name of the Miner. Aggregators treat as whitelist all the indicators coming from Miner starting with wl. See the example graph below, aggregatorIPv4 automatically removes indicators sent by ransomwaretacker_RW_IPBL overlapping the ranges coming from wlAmazonIPs.

Re: Getting "engine fatal" error in Minemeld.

BobHarrison — Fri, 10 Mar 2017 19:18:47 GMT

Hi Luigi, thanks for your input.

1. I am still getting "engine-fatal" issue in Minemeld?

2. What is the preferred method of the two? Currently we are using minemeld by having a DENY access-list that points to "Emerging threats feed", "high confidence feed", etc. Should I be creating a second access-list that is a PERMIT list that points to the url of our minemeld server?

Re: Getting "engine fatal" error in Minemeld.

lmori — Sat, 11 Mar 2017 00:13:03 GMT

Hi @BobHarrison,

please, could you download and send me the minemeld-engine.log file from SYSTEM > DASHBAORD > ENGINE > LOGS ? My email address is lmori@paloaltonetworks.com
It depends on your what is your ultimate goal. If you would like to allow all the traffic going to any AMAZON service, then the best way to do it is a new EDL pointing to the new feed. If instead you want to be sure that your OSINT feeds are not blacklisting any Amazon IP address, then you should go for solution 2) - whitelist inside MineMeld.