Creating whitelists

by lmori on ‎02-05-2016 05:12 AM (7,253 Views)

MineMeld aggregator nodes support whitelists. If an indicator is in a whitelist, the aggregator nodes won't send matching indicators to downstream nodes. Whitelists can also be shared by multiple aggregators.

 

Aggregator nodes created using stdlib prototypes (stdlib.aggregatorDomain, stdlib.aggregatorURL, stdlib.aggregatorIPv4Generic, stdlib.aggregatorIPv4Outbound, stdlib.aggregatorIPv4Inbound) will whitelists indicators generated by Miner nodes whose name starts with prefix wl (lowercase).

 

In the following example a whitelist Miner will be created for an IPv4 aggregator node.

 

1. Creating a static whitelist node

In CONFIG, click + to add a new node. Specify a name starting with "wl" and select stdlib.listIPv4Generic as prototype. Enable Output and then press OK.

 

Screen Shot 2016-02-05 at 13.58.33.png

 

2. Connecting the whitelist to the aggregator

In CONFIG, click on the INPUTS field of the selected aggregator. In the dialog add the new whitelist node to the list of INPUTS.

Screen Shot 2016-02-05 at 13.58.48.png

 

3. Commit the config

Just press COMMIT in the CONFIG page.

 

4. Adding indicators to the whitelist

In NODES, click on the new whitelist node and select INDICATORS in the menu on the left.

Screen Shot 2016-02-05 at 14.06.23.png

 

Click + to add new indicators. Pressing OK will automatically save the indicator and the list. It could take up to 1 minute for the new indicator to be pushed downstream to the aggregator node.

Screen Shot 2016-02-05 at 14.09.00.png

 

Comments
by claudec
on ‎08-11-2016 08:33 AM

What is the significance of the indicator "share level" in this example.  Does "red" impact the ability of the processor node to share it with numerous ouput nodes?

by lmori
on ‎08-12-2016 07:47 AM

Hi Claudec,

technically share_level is just an additional attribute of indicators. You can use share_level to tag indicators that should be kept confidential and not shared with others. Enforcement of share_level can be done using node input filters. Example: feedHCGreen prototype accepts only indicators with share_level green. Ref: https://github.com/PaloAltoNetworks/minemeld-node-prototypes/blob/master/prototypes/stdlib.yml#L244

by spssspss
on ‎05-19-2017 07:40 AM

Is it possible to create a white list from an IPs address file?

by lmori
on ‎05-26-2017 05:41 AM

Hi @spssspss, that's possible. Would you mind opening  a new discussion under MineMeld Discussions ? I will give you full details there. Thanks !

by danilo.souza
on ‎03-12-2018 07:33 AM

Hi,

I'm dealing with a problem in whitelists.

Following the steps described here, doesn't matter the time I wait, the IP inserted in my wlWhiteList node never is excluded from the IP list in the feed node.

 

The same occours for domains. I have a node called wlDomain. The domain never is removed from the list in my feed node. I don't know if it is a problem with the aggegator or the miner.

 

I noted that the whitelist miner for domains doesn't have the camp "Direction". Is it ok?

 

Thank you

by ch199soprano
2 weeks ago

Hello,

   danilo.souza I am also experincing the same thing as you. No matter the wl miner I create, the ips included are still being picked up by the inboundfeedhc and sent to my firewall. I have tried various wl miners and different directions (or no direction). I have my new miner added to the inboundaggreator and waited for over a day. When I check my EDL on the firewall the ips in question are still present, because they are still present in the Output node. 

 

Did you ever figure this out or get an answer. I know I am late to the party, but I just stood Minemeld up last week. 

 

Thanks. 

 

CH

by danilo.souza
2 weeks ago

Hi @ch199soprano

 

Unfortunately not. I "whitelisted" the IP through Panorama. You have the option to create exceptions there (Objects->External Dynamic Lists->"Your List"->List Entries and Exceptions).

 

But It is not instantaneous. This can take up to one hour (the interval of time the Firewall takes to accomplish the autocommit). 

 

Best Regards

by ch199soprano
2 weeks ago

Thanks, I will keep at it. unfortunately we are not using Panaorama so I would hae to Commit excpetions on the firewall which sort of takes away from the whole minmeld setup. Thanks for the response. 

 

CH

Ask Questions Get Answers Join the Live Community
Labels
Contributors