Disabling Indicator Expiration

Reply
L2 Linker

Disabling Indicator Expiration

@lmori, thank you for your help so far.

I am migrating my data to the "stdlib.localDB" miner, per your suggestion here.

I have two questions now:

First, I noticed that the default expiration for indicators added to this miner is just one day. How can I change this to one year? What about disabling expiration by default?

Second, I am trying to push indicators to this new miner via json (this would be irrelevant if you can answer my first question)
I tried to set ttl = -1 to disable expiration, but that didnt work. Since 0 deletes the indicator, not sure what to use here.
How can I disable expiration for these indicators through the API call?


curl -XPOST -H "Content-Type: application/json" -u admin:<ommited> "http://localhost/config/data/feed_any_indicators/append?h=feed_any&t=localdb" -d '
[
{
"indicator": "219.101.37.81",
"type": "IPv4",
"comment": "Win32.Conficker.Cp2p",
"share_level": "green",
"Confidence": 100,
"ttl": -1
},
{
"indicator": "82.188.123.234",
"type": "IPv4",
"comment": "Win32.Conficker.Cp2p",
"share_level": "green",
"Confidence": 100,
"ttl": -1
}
]'


FYI, the command is working. When I remove the ttl field, the miner is added and the expiration is set to 24 hours.

L7 Applicator

Re: Disabling Indicator Expiration

Hi @alyssonalmeida,

with tth: -1 you are removing the indicator, you can use this to disable expiration:

{
[...]
    "ttl": "disabled"
}

Or you can create a new prototype based on stdlib.localDB and set the expiration to disabled by default:

age_out:
    sudden_death: true
    default: null
L0 Member

Re: Disabling Indicator Expiration

How do you enable the ttl after it has been disabled?

 

I tried setting the ttl: -1, ttl: 0, ttl: enable, and ttl: enabled, but it still shows disabled when I look at the node indicator table in MineMeld.

 

Thanks.

L7 Applicator

Re: Disabling Indicator Expiration

Hi @lkrous,

you can do that by setting a valid ttl. Countdown to expiration will start from the update time.

{
    "indicator": "8.8.8.8",
    "type": "IPv4",
    "comment": "usual Google DNS Public IP",
    "share_level": "green",
    "confidence": 100,
    "ttl": 3600
}'
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!