on 02-05-2016 05:12 AM - edited on 09-09-2019 10:03 AM by Retired Member
MineMeld aggregator nodes support whitelists. If an indicator is on a whitelist, the aggregator nodes will not send matching indicators to downstream nodes. Whitelists can also be shared by multiple aggregators.
Aggregator nodes created using stdlib prototypes (stdlib.aggregatorDomain, stdlib.aggregatorURL, stdlib.aggregatorIPv4Generic, stdlib.aggregatorIPv4Outbound, stdlib.aggregatorIPv4Inbound) will whitelist indicators generated by Miner nodes whose name starts with the prefix wl (lowercase).
In the following example, a whitelist Miner will be created for an IPv4 aggregator node.
In CONFIG, click + to add a new node. Specify a name starting with "wl" and select stdlib.listIPv4Generic as prototype. Enable Output and then press OK.
In CONFIG, click on the INPUTS field of the selected aggregator. In the dialog add the new whitelist node to the list of INPUTS.
Just press COMMIT in the CONFIG page.
In NODES, click on the new whitelist node and select INDICATORS in the menu on the left.
Click + to add new indicators. Pressing OK will automatically save the indicator and the list. It could take up to 1 minute for the new indicator to be pushed downstream to the aggregator node.
Hi Claudec,
technically share_level is just an additional attribute of indicators. You can use share_level to tag indicators that should be kept confidential and not shared with others. Enforcement of share_level can be done using node input filters. Example: feedHCGreen prototype accepts only indicators with share_level green. Ref: https://github.com/PaloAltoNetworks/minemeld-node-prototypes/blob/master/prototypes/stdlib.yml#L244
Hi,
I'm dealing with a problem in whitelists.
Following the steps described here, doesn't matter the time I wait, the IP inserted in my wlWhiteList node never is excluded from the IP list in the feed node.
The same occours for domains. I have a node called wlDomain. The domain never is removed from the list in my feed node. I don't know if it is a problem with the aggegator or the miner.
I noted that the whitelist miner for domains doesn't have the camp "Direction". Is it ok?
Thank you
Hello,
danilo.souza I am also experincing the same thing as you. No matter the wl miner I create, the ips included are still being picked up by the inboundfeedhc and sent to my firewall. I have tried various wl miners and different directions (or no direction). I have my new miner added to the inboundaggreator and waited for over a day. When I check my EDL on the firewall the ips in question are still present, because they are still present in the Output node.
Did you ever figure this out or get an answer. I know I am late to the party, but I just stood Minemeld up last week.
Thanks.
CH
Unfortunately not. I "whitelisted" the IP through Panorama. You have the option to create exceptions there (Objects->External Dynamic Lists->"Your List"->List Entries and Exceptions).
But It is not instantaneous. This can take up to one hour (the interval of time the Firewall takes to accomplish the autocommit).
Best Regards
Thanks, I will keep at it. unfortunately we are not using Panaorama so I would hae to Commit excpetions on the firewall which sort of takes away from the whole minmeld setup. Thanks for the response.
CH
Hi,
Is there a way using whitelist for the oposite propose, i mean add indicators to an output?
Best Regards,
Adélio Moreira
I would like to know this as well. It appears that the wl - indication works exactly opposite of what you would expect in this scenario?
Does anyone have any experience with or know whether it's possible to limit the size of subnets that could be added?
For instance, if someone were to try to add 10.0.0.0/8 -- is there anything that could be done to prevent that?
