Hi Luigi, this is in reference to ticket 00632153. Two issues here:
1. While attempting to work on issue #2, I noticed that I am getting an "engine fatal" error in Minemeld. Version is 9.34. Have restarted engine, but the issue is still there.
2. I would like to build a custom exclusion for the below Amazon IP list so that addresses are dynamically updated and can be allowed by Minemeld and an access rule in our Palo Alto that points to it. Is this possible in 9.3.4 or do I need an upgrade?
Article you wrote about how to do this. Want to make sure that this is still the best way to do this?
thanks for all your help!
there is a builtin prototype to monitor that URL aleady, it's called aws.AMAZON. There a many ways you can use this Miner, following are the 2 most common use cases:
1. Direct EDL for PAN-OS
If you want to create a feed for those AMAZON IP ranges, you can go in CONFIG > IMPORT, paste the following snippet and then press APPEND (and COMMIT :-)). You can then point PAN-OS EDL to https://<minemeld>/feeds/feedAmazonIPs.
nodes: amazonIPs: inputs:  output: true prototype: aws.AMAZON feedAmazonIPs: inputs: - amazonIPs output: false prototype: stdlib.feedHCGreenWithValue
2. WHITELIST in MINEMELD
If instead you would like to use those IP Ranges for whitelisting indicators directly on MineMeld you can use the following snippet:
nodes: wlAmazonIPs: inputs:  output: true prototype: aws.AMAZON
This will create a Miner for AMAZON IPs that you can connect to IPv4 aggregators to automatically remove Amazon IPs from the feeds. The trick here is the "wl" prefix in the name of the Miner. Aggregators treat as whitelist all the indicators coming from Miner starting with wl. See the example graph below, aggregatorIPv4 automatically removes indicators sent by ransomwaretacker_RW_IPBL overlapping the ranges coming from wlAmazonIPs.
Hi Luigi, thanks for your input.
1. I am still getting "engine-fatal" issue in Minemeld?
2. What is the preferred method of the two? Currently we are using minemeld by having a DENY access-list that points to "Emerging threats feed", "high confidence feed", etc. Should I be creating a second access-list that is a PERMIT list that points to the url of our minemeld server?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!