Quick tour of MineMeld default config

by lmori on ‎02-03-2016 02:26 AM (49,255 Views)

The default config installed by the MineMeld loader is really simple, and can be seen in the following graph.

Screen Shot 2016-02-03 at 11.14.37.png

 

The 3 green nodes on the left are called Miners and are responsible for periodically retrieving indicators from 3 different feeds and push them downstream to the connected nodes using update messages. Miners are also responsible for aging out indicators: when indicators disappear from the original feed or when an indicator is considered dead, the corresponding Miner instructs the downstream nodes of removing the indicator via a withdraw message.

 

The central red node is a Processor node. In this specific configuration, the processor node is an IPv4 aggregator node and aggregates IPv4 indicators received from the 3 Miners and sends downstream the aggregated indicators.

 

The 3 yellow nodes on the right are Output nodes. These nodes receive indicators from the processor nodes and transform them into a format that could be directly consumed by external entities. In the default config the 3 output nodes translates the indicators received from the aggregator node into a format that can be consumed using the PAN-OS Dynamic Block List feature. All 3 output nodes in this graph receive the same set of indicators from the aggregator node, but each of them stores a different subset of these indicators based on the configured input filters. inboundfeedhc accepts  only indicators with confidence level > 75, inboundfeedmc only indicators with confidence level < 75 and > 50, inboundfeedlc indicators with confidence level < 50. These subset of indicators are stored into 3 different DBLs that can be used in different ways inside the PAN-OS configuration.

 

1. Login

Default credentials are admin / minemeld

login.png

 

 

2. Dashboard

The dashboard page can be used to check the overall status of the MineMeld processing engine.

dashboard.png

 

In the first row you can find the number of active nodes per type, the current total number of indicators stored inside the graph and an historical chart of the total number of indicators.  The second row is dedicated to Miners, the first panel reports the total number of indicators stored in the miner nodes, and the number of indicators that have been added and aged out since engine start. The historical chart on the right represents the number of indicators added and aged out by the miner nodes in the last period of time. The third row reports the same statistics of the second row but related to Outputs.

 

3. Nodes

The nodes view reports the status of every single active node of the graph.

nodes.png

 

4. Node status

Clicking on a node in the Nodes view shows the details of the configuration of the node

nodedetail-info.png

 

the historical charts of the metrics of the node

nodedetail-stats.png

 

and the connected graph where the node lives

Screen Shot 2016-02-03 at 11.12.37.png

 

5. Nodes and prototypes

Nodes are created using libraries of prototypes. Each prototype defines the type of node and its configuration.

To check the details of a prototype, just click on a node in the Nodes view and move the pointer over the prototype field

prototype.png

 

Clicking on the prototype name shows all the details about that prototype

prototype-detail.png

 

6. PAN-OS External Dynamic Lists

To use MineMeld feeds with PAN-OS External Dynamic Lists (named Dynamic Block Lists before PAN-OS 7.1), select the output node responsible for the feed in the Nodes view and copy the FEED BASE URL

 

outputfeed.png

 

In PAN-OS, under Object > External Dyanmic Lists (or Object > Dynamic Block Lists in PAN-OS before 7.1) define a new list using the output node URL

dbl.png

 

7. Whitelist indicators

To whitelist a network, range or a single IPv4 address, click on wlWhiteListIPv4 under Nodes and select the INDICATORS option on the left. This list of indicators is treated as a whitelist by the aggregator.

 

To add a new indicator click on + and specify the IPv4 indicator. Changes will be automatically saved by pressing OK.

Screen Shot 2016-02-03 at 11.24.32.png

 

 

 

Comments
by darrylt
on ‎05-04-2016 03:13 PM

Can anyone explain SHARE LEVEL and the corresponding colors? I have searched it in this forum but have not found an explanation.

 

Thanks

by lmori
on ‎05-04-2016 11:46 PM
Ask Questions Get Answers Join the Live Community
Labels
Contributors