Adding a sub-graph for IPv4 outbound indicators

Printer Friendly Page

The simple, default config included in MineMeld VM creates a graph to process IPv4 indicators for inbound connections, typically used to filter out scanning hosts or well known brute force attackers. For IPv4 indicators for outbound connections we can define a new sub-graph with its own set of output feeds. These new set of feeds can then be used in the destination part of the PAN-OS security policies.

 

1. Adding an outbound IPv4 aggregator

Under CONFIG press +. Configure a new node with prototype stdlib.aggregatorIPv4Outbound and Output enabled.

Screen Shot 2016-01-04 at 15.53.35.png

 

2. Adding a set of feeds

Under CONFIG add 3 new nodes (HC, MC and LC) for the output feeds and select the node created at point 1 as Input.

 

First node with stdlib.feedHCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.54.17.png

 

Second node with stdlib.feedMCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.54.46.png

 

Third node with stdlib.feedMCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.55.31.png

 

3. Adding a Miner

Under CONFIG add a new Miner generating IPv4 outbound indicators, like zeustracker.badips. Output should be enabled.

Screen Shot 2016-01-04 at 15.55.53.png

 

4. Connecting the aggregator to the Miner

Under CONFIG, click on the INPUTS field of the node created at step 1 and add the Miner.

Screen Shot 2016-01-04 at 15.56.15.png

 

5. Commit

Check the resulting config and press COMMIT.

Screen Shot 2016-01-04 at 15.56.34.png

 

6. Check the sub-graph

The resulting sub-graph should look like this:

Screen Shot 2016-01-04 at 15.58.39.png

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
1 of 1
Last update:
‎02-03-2016 02:00 AM
Updated by:
 
Contributors