topic Re: DAGPusher and DAG in General Topics

DAGPusher and DAG

Retired Member — Thu, 25 Feb 2016 15:03:14 GMT

Luigi,

Can you confirm DAGPusher name should match tag for DAG in PAN-OS? I can't have the DAG updated with Minemeld indicators

Thanks

Bertrand

Re: DAGPusher and DAG

lmori — Thu, 25 Feb 2016 15:13:26 GMT

Hi Bertrand,

no relationship between dagpuhser name and DAG on PAN-OS.

Could you check with "show object registered-ip all" ?

Should be something like:

admin@PA-VM-Minemeld> show object registered-ip all

registered IP Tags

---------------------------------------- -----------------

<IP edited> #

"mmld_confidence_high"

"mmld_direction_unknown"

"mmld_pushed"

[...]

NOTE: only unicast IP will be pushed, as DAG API only support unicast IPs.

Re: DAGPusher and DAG

Retired Member — Thu, 25 Feb 2016 16:19:15 GMT

Luigi,

I got no output from the command. I suspect a problem in the DagPusher connection to the firewall. What is the best course to troubleshoot that the handled device is correctly connected from Minemeld?

Thanks

Bertrand

Re: DAGPusher and DAG

lmori — Thu, 25 Feb 2016 16:31:46 GMT

You should check /opt/minemeld/logs/minemeld-engine.log file for errors.

Re: DAGPusher and DAG

Retired Member — Thu, 25 Feb 2016 17:29:29 GMT

Luigi,

I tried with the following (as Office365 is still experimental):

Miner: malwaredomainlist.ip

Aggregator: stdlib.aggregatorIPv4Generic

And dagPusher as the Output.

I didn't get any result in viewing objects on PA devices and got the attached screenshots which makes me feel the dagPusher is not processing, while receiving, indicators.

There is no error in the minemeld-engine.log

Regards,

Bertrand

Re: DAGPusher and DAG

lmori — Thu, 25 Feb 2016 17:43:00 GMT

Hi Bertrand,

if you see updates and 0 indicators it means indicators have been discarded.

Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.

I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.

Thanks,

Luigi

Re: DAGPusher and DAG

Retired Member — Thu, 25 Feb 2016 22:11:39 GMT

Thanks Luigi,

Understood and it works much better. Very good job by the way.

Cheers,

Re: DAGPusher and DAG

lmori — Thu, 25 Feb 2016 22:13:53 GMT

Thanks, next minor release should have a more flexible dag pusher node. You will be able to use an IPv4 Aggregator as upstream node.

Luigi

Re: DAGPusher and DAG

bspilde — Fri, 27 May 2016 20:47:54 GMT

Can the tags be modified somewhere? I want a tag for each input my DAGPusher is sending. Unless there is another way to create multiple pushed DAG's on the firewall.

For instance those with the tag O365 get DAG name O365 and end up with a firewall ACL that is an allow. Other blacklist inputs go into a "verybadIP" list and get a drop traffic action ACL.

104.214.35.244 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_o365ip"

1.1.1.1 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_verybadIP"

Re: DAGPusher and DAG

lmori — Mon, 30 May 2016 08:11:05 GMT

Hi bspilde,

that is definitely possible. Solution:

- go to CONFIG and click on browse prototypes button

- search for stdlibg.dagPusher prototype and click on it

- click on the NEW button to create a new prototype based on that

- in the config section define the tag_prefix property, like in the picture below

- click OK

- and then create a new node based on this new prototype

When using this new prototype all the tags have prefix "badipbad_" and you can filter on "badipbad_pushed" to collect all the IPs pushed by this new node. Tags will look like:

1.1.1.1 #
"badipbad_confidence_high"
"badipbad_direction_unknown"
"badipbad_pushed"