MineMeld is an open-source tool from Palo Alto Networks to assist in threat feed aggregation and consumption. MineMeld’s “miners” are responsible for retrieving feed data on a defined basis and importing the data into MineMeld. Once imported, feeds are deduplicated and aggregated into one or more lists. After aggregation, the lists are published and ready for consumption by Palo Alto Networks firewalls. MineMeld may be run on-premise or in a public cloud. This article shows the step-by-step process for deploying MineMeld within the Azure public cloud.
Use the MineMeld ARM Template to deploy the required Ubuntu server into Azure.
Click “Deploy To Azure” to get started.
After filling in the required information, select purchase to continue.
Wait until the deployment is complete.
Go to the Resource Group where the server was just created.
Click on the virtual machine just created.
Copy the DNS name so you can SSH to it.
Open a terminal window and SSH into the instance to finish the MineMeld installation.
Deploy IP Tables by copy and pasting the following commands. Answer “yes” to save IPv4/IPv6 tables.
sudo apt-get update && sudo apt-get install -y iptables-persistent
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 13514 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP
sudo bash -c "ip6tables-save > /etc/iptables/rules.v6"
You may notice the following error:
GPG error: http://minemeld-updates.panw.io trusty-minemeld InRelease: The following signatures were invalid: KEYEXPIRED
This will be addressed in a step below.
Add the MineMeld rep GPG key to the APT trusted keyring:
wget -qO - https://minemeld-updates.panw.io/gpg.key | sudo apt-key add -
Double check the GPG key fingerprint (should match characters in bold):
apt-key adv --fingerprint DD0DA1F9
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.W74MaAG3pI --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --fingerprint DD0DA1F9
pub 4096R/DD0DA1F9 2016-07-15
Key fingerprint = E558 CE6E 3968 0F31 8F6C BFAC B401 E02E DD0D A1F9
uid Palo Alto Networks, MineMeld Team <minemeld@paloaltonetworks.com>
After verifying the key, add MineMeld to the APT repository:
sudo add-apt-repository "deb http://minemeld-updates.panw.io/ubuntu trusty-minemeld main"
Perform another update.
sudo apt-get update
Install PIP:
sudo apt-get install python-pip
Install MineMeld:
sudo apt-get update && sudo apt-get install -y minemeld rsyslog-minemeld rsyslog-mmnormalize
Follow these steps to downgrade PIP to version 9.0.3. If PIP is not downgraded, you may not be able to log into the MineMeld WEB GUI after completion.
Stop the MineMeld service:
sudo service minemeld stop
Downgrade PIP:
sudo -H -u minemeld /opt/minemeld/engine/current/bin/pip install pip==9.0.3
Start the MineMeld service:
sudo service minemeld start
Using the Azure DNS name, browse to the MineMeld instance.
Login with the default credentials: admin / paloalto
Deploy Azure Template
Manually Deploy MineMeld
