I am trying out minemeld and I started by adding miner (zeustracker.badips) and removing the default dshield and spam nodes. Before removal inbound feeds were showing subnet ranges/indicators. After removal there is not a single ip. processor shows RX count and PROCESSED count but output is all zero. Am i doing something wrong?
Solved! Go to Solution.
you're facing an 'inbound' vs 'outbount' situation. Some threat intel feeds provide you with an attribute attached to the indicators meant to describe whether you should not connect to these IP's (outbound) or you should not accept connections from these IP's (inbound).
The dafault config include miners that attach the 'inbound' attribute to the indicators and an aggregator that enforces it. The following capture shows you the aggregator prototype: it accepts indicators of type IPv4 with attribute 'inbound' or 'null' and discards everything else.
Now take a look to the Zeus Bad IP Prototype.
As you can see, nodes based in this prototype will attach the outbound attribute to received indicators. And that will make the aggregator to discard them. If you take a look to the aggregator logs you'll find the discard action.
You have many options:
@raji_toor, follow examples like the Step 3 in the article MineMeld-Articles/Using-MineMeld-to-generate-IP-lists-from-wildcards to discover how to create new prototypes using the WEB UI
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!