I've been experimenting with MineMeld and have to say I love it so far.
I was browsing the list of feeds and looked at the ProofPoint ET Pro feed and I wondered if anyone knows how this feed works?
I got pricing and it's quite reasonable, but I'm not 100% clear how it integrates and can be integrated with Palo Alto, does anyone know?
Be interested in any views on the most effective inbound blocklists?
I have added a couple of custom Proofpoint feeds that are free and keep forgetting to send them to Luigi to integrate into the product. I can't speak for what might be different between the free and paid versions.
description: > Emerging Threats Compromised List
description: > Emerging Threats FW Block List
currently (0.9.18) there are 2 feeds provided by ProofPoint ET:
Each of them is covered by a prototype, proofpoint.EmergingThreatsDomains and proofpoint.EmergingThreatsIPs.
Inside the feeds, each indicator (IP or domain) has associated a list of categories.
When you create a Miner based on one of the ProofPoint prototypes:
you can specify the Auth Code provided by ProofPoint and the list of categories you are interested in:
You can create multiple Miners, and each of them can have different categories. This way you can have different feeds for inbound and outbound IP addresses.
ProofPoint can easily provide best practices about using their feeds for blocking or preventing attacks.
Please, let me know if you need additional details.
Thanks, one concern/query I do have is how people are using minemeld given there seems to be total of 50,000 entries maximum across all EBLs?
I don't know the count on the ProofPoint feed for example but I could imagine things being quite large.
Also (and I'm hoping to speak to ProofPoint) does anyone know if there is masses more on their commercial feed than the open source one?
I ask as I believe the ET Pro subscription inclues a ton of suricata/snort rules which we cannot use with our PAN, so essentially the only piece we'd be using is the EBL content via minemeld.
the ProofPoint ET Intelligence delivers feeds with much more context than what available in the Open Source. Let me know if you need a contact in PP, I'd be happy to help.
There are 2 things you can do to cope with the EDL max number of entries:
- you can limit the number of entries download from the MM feed attaching the 'n' parameter in the URL. Example, if the feed is published as https://<minemeld>/feeds/IPfeed, you can download only 10000 elements by using https://<minemeld>/feeds/IPFeed?n=10000
- by default MineMeld output feed are sorted using the "most recent" criteria. This means that when you download the first 10000 elements, you are downloading the 10000 most recent elements added to the feed. Sorting attribute can be changed by changing the prototype of the feed.
Please note that starting from 7.1, you have a max of 50000 (150000 on PA5K and PA7K) IPs in EDL and a max 50000 for URLs+Domains. Ref: https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Videos/PAN-OS-7-1-URL-Filtering-Dynamic-Block-List-E...
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!