DAGPusher and DAG

Reply
L3 Networker

DAGPusher and DAG

Luigi,

 

Can you confirm DAGPusher name should match tag for DAG in PAN-OS?  I can't have the DAG updated with Minemeld indicators

 

Thanks

 

Bertrand

Tags (2)
L7 Applicator

Re: DAGPusher and DAG

Hi Bertrand,

no relationship between dagpuhser name and DAG on PAN-OS.

 

Could you check with "show object registered-ip all" ?

 

Should be something like:

admin@PA-VM-Minemeld> show object registered-ip all

 

registered IP                             Tags

----------------------------------------  -----------------

 

<IP edited> #

                                         "mmld_confidence_high"

                                         "mmld_direction_unknown"

                                         "mmld_pushed"

[...]

 

NOTE: only unicast IP will be pushed, as DAG API only support unicast IPs.

L3 Networker

Re: DAGPusher and DAG

Luigi,

 

I got no output from the command. I suspect a problem in the DagPusher connection to the firewall. What is the best course to troubleshoot that the handled device is correctly connected from Minemeld?

 

Thanks

 

Bertrand

L7 Applicator

Re: DAGPusher and DAG

You should check /opt/minemeld/logs/minemeld-engine.log file for errors.

L3 Networker

Re: DAGPusher and DAG

Luigi,

 

I tried with the following (as Office365 is still experimental):

Miner: malwaredomainlist.ip

Aggregator: stdlib.aggregatorIPv4Generic

And dagPusher as the Output.

 

I didn't get any result in viewing objects on PA devices and got the attached screenshots which makes me feel the dagPusher is not processing, while receiving, indicators.

 

There is no error in the minemeld-engine.log

 

Regards,

 

Bertrand

L7 Applicator

Re: DAGPusher and DAG

Hi Bertrand,

if you see updates and 0 indicators it means indicators have been discarded. 

Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.

 

I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.

 

Thanks,

Luigi

L3 Networker

Re: DAGPusher and DAG

Thanks Luigi,

 

Understood and it works much better. Very good job by the way.

 

Cheers,

 

B.

L7 Applicator

Re: DAGPusher and DAG

Thanks, next minor release should have a more flexible dag pusher node. You will be able to use an IPv4 Aggregator as upstream node.

 

Luigi

L4 Transporter

Re: DAGPusher and DAG

Can the tags be modified somewhere? I want a tag for each input my DAGPusher is sending. Unless there is another way to create multiple pushed DAG's on the firewall.

 

For instance those with the tag O365 get DAG name O365 and end up with a firewall ACL that is an allow. Other blacklist inputs go into a "verybadIP" list and get a drop traffic action ACL.

 

104.214.35.244 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_o365ip"

 

1.1.1.1 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_verybadIP"

L7 Applicator

Re: DAGPusher and DAG

Hi bspilde,

that is definitely possible. Solution:

- go to CONFIG and click on browse prototypes button

- search for stdlibg.dagPusher prototype and click on it

- click on the NEW button to create a new prototype based on that

- in the config section define the tag_prefix property, like in the picture below

- click OK

- and then create a new node based on this new prototype

 

When using this new prototype all the tags have prefix "badipbad_" and you can filter on "badipbad_pushed" to collect all the IPs pushed by this new node. Tags will look like:

 

1.1.1.1 #
"badipbad_confidence_high"
"badipbad_direction_unknown"
"badipbad_pushed"

 

Screen Shot 2016-05-30 at 10.05.48.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!