https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76649#M99571 <P>I am also working on a tracing function, to let the admin trace the flow of indicators across the graph. Should happen in a week or two.</P> Tue, 19 Apr 2016 08:29:03 GMT lmori 2016-04-19T08:29:03Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76600#M99569 <P>Dear,</P><P>&nbsp;</P><P>I added the "malwaredomainlist.ip" as miner.</P><P>This is working (shows that it has mined about 1500 IPs), but when I add the miner input to a ipv4 or domain aggregator I do not get any output...</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2016-04-18 16_09_21-minemeld.png" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/3590iC26F53B919AF079B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2016-04-18 16_09_21-minemeld.png" alt="2016-04-18 16_09_21-minemeld.png" /></span></P> Mon, 18 Apr 2016 14:09:59 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76600#M99569 mr.linus 2016-04-18T14:09:59Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76611#M99570 <P>Dear mr.linus,</P> <P>malwaredomainlist.ip generates IPv4 addresses only, that's the reason domain aggregator does not accept any of the generated indicators. If you check the prototype for stdlib.aggregatorDomain you will see the inbound filters applied to all the indicators. These filters accept WITHDRAWS and indicators with type domain. Evertyhing else is dropped.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2016-04-18 at 16.51.26.png" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/3595i361E6196D39C3BBB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2016-04-18 at 16.51.26.png" alt="Screen Shot 2016-04-18 at 16.51.26.png" /></span></P> <P>&nbsp;</P> <P>The IPv4 aggregator instead should accept, but again it depends on the prototype you used to create the aggregator. malwaredomainlist.ip provides C2 IPs, and the indictors are marked as "outbound". Please, could you check that the IPv4 aggregator accepts "outbound" indicators ? You can look at the inbound filters inside the prototype.</P> <P>&nbsp;</P> <P>It would be a good idea&nbsp;to add a new miner to poll the CSV file provided by malwaredomainlist instead of the IP list. I have created an ER (#8) to track this.</P> Mon, 18 Apr 2016 14:59:23 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76611#M99570 lmori 2016-04-18T14:59:23Z https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76649#M99571 <P>I am also working on a tracing function, to let the admin trace the flow of indicators across the graph. Should happen in a week or two.</P> Tue, 19 Apr 2016 08:29:03 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-with-malwaredomainlist-ip/m-p/76649#M99571 lmori 2016-04-19T08:29:03Z