DAGPusher and DAG

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DAGPusher and DAG

L3 Networker

Luigi,

 

Can you confirm DAGPusher name should match tag for DAG in PAN-OS?  I can't have the DAG updated with Minemeld indicators

 

Thanks

 

Bertrand

1 accepted solution

Accepted Solutions

Hi Bertrand,

if you see updates and 0 indicators it means indicators have been discarded. 

Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.

 

I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.

 

Thanks,

Luigi

View solution in original post

9 REPLIES 9

L7 Applicator

Hi Bertrand,

no relationship between dagpuhser name and DAG on PAN-OS.

 

Could you check with "show object registered-ip all" ?

 

Should be something like:

admin@PA-VM-Minemeld> show object registered-ip all

 

registered IP                             Tags

----------------------------------------  -----------------

 

<IP edited> #

                                         "mmld_confidence_high"

                                         "mmld_direction_unknown"

                                         "mmld_pushed"

[...]

 

NOTE: only unicast IP will be pushed, as DAG API only support unicast IPs.

Luigi,

 

I got no output from the command. I suspect a problem in the DagPusher connection to the firewall. What is the best course to troubleshoot that the handled device is correctly connected from Minemeld?

 

Thanks

 

Bertrand

You should check /opt/minemeld/logs/minemeld-engine.log file for errors.

Luigi,

 

I tried with the following (as Office365 is still experimental):

Miner: malwaredomainlist.ip

Aggregator: stdlib.aggregatorIPv4Generic

And dagPusher as the Output.

 

I didn't get any result in viewing objects on PA devices and got the attached screenshots which makes me feel the dagPusher is not processing, while receiving, indicators.

 

There is no error in the minemeld-engine.log

 

Regards,

 

Bertrand

Hi Bertrand,

if you see updates and 0 indicators it means indicators have been discarded. 

Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.

 

I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.

 

Thanks,

Luigi

Thanks Luigi,

 

Understood and it works much better. Very good job by the way.

 

Cheers,

 

B.

Thanks, next minor release should have a more flexible dag pusher node. You will be able to use an IPv4 Aggregator as upstream node.

 

Luigi

Can the tags be modified somewhere? I want a tag for each input my DAGPusher is sending. Unless there is another way to create multiple pushed DAG's on the firewall.

 

For instance those with the tag O365 get DAG name O365 and end up with a firewall ACL that is an allow. Other blacklist inputs go into a "verybadIP" list and get a drop traffic action ACL.

 

104.214.35.244 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_o365ip"

 

1.1.1.1 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"

"mmld_verybadIP"

Hi bspilde,

that is definitely possible. Solution:

- go to CONFIG and click on browse prototypes button

- search for stdlibg.dagPusher prototype and click on it

- click on the NEW button to create a new prototype based on that

- in the config section define the tag_prefix property, like in the picture below

- click OK

- and then create a new node based on this new prototype

 

When using this new prototype all the tags have prefix "badipbad_" and you can filter on "badipbad_pushed" to collect all the IPs pushed by this new node. Tags will look like:

 

1.1.1.1 #
"badipbad_confidence_high"
"badipbad_direction_unknown"
"badipbad_pushed"

 

Screen Shot 2016-05-30 at 10.05.48.png

  • 1 accepted solution
  • 14646 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!