02-25-2016 09:43 AM
Hi Bertrand,
if you see updates and 0 indicators it means indicators have been discarded.
Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.
I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.
Thanks,
Luigi
02-25-2016 07:13 AM
Hi Bertrand,
no relationship between dagpuhser name and DAG on PAN-OS.
Could you check with "show object registered-ip all" ?
Should be something like:
admin@PA-VM-Minemeld> show object registered-ip all
registered IP Tags
---------------------------------------- -----------------
<IP edited> #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"
[...]
NOTE: only unicast IP will be pushed, as DAG API only support unicast IPs.
02-25-2016 08:19 AM
Luigi,
I got no output from the command. I suspect a problem in the DagPusher connection to the firewall. What is the best course to troubleshoot that the handled device is correctly connected from Minemeld?
Thanks
Bertrand
02-25-2016 08:31 AM
You should check /opt/minemeld/logs/minemeld-engine.log file for errors.
02-25-2016 09:29 AM
Luigi,
I tried with the following (as Office365 is still experimental):
Miner: malwaredomainlist.ip
Aggregator: stdlib.aggregatorIPv4Generic
And dagPusher as the Output.
I didn't get any result in viewing objects on PA devices and got the attached screenshots which makes me feel the dagPusher is not processing, while receiving, indicators.
There is no error in the minemeld-engine.log
Regards,
Bertrand
02-25-2016 09:43 AM
Hi Bertrand,
if you see updates and 0 indicators it means indicators have been discarded.
Aggregator generates IPv4 ranges, in this case you may want to remove it from the chain and directly connect malwaredomainlist.ip miner to dagpusher.
I will improve the dagPusher to keep a metric about discarded indicator and improve the check on unicast IPs.
Thanks,
Luigi
02-25-2016 02:11 PM
Thanks Luigi,
Understood and it works much better. Very good job by the way.
Cheers,
B.
02-25-2016 02:13 PM
Thanks, next minor release should have a more flexible dag pusher node. You will be able to use an IPv4 Aggregator as upstream node.
Luigi
05-27-2016 01:47 PM
Can the tags be modified somewhere? I want a tag for each input my DAGPusher is sending. Unless there is another way to create multiple pushed DAG's on the firewall.
For instance those with the tag O365 get DAG name O365 and end up with a firewall ACL that is an allow. Other blacklist inputs go into a "verybadIP" list and get a drop traffic action ACL.
104.214.35.244 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"
"mmld_o365ip"
1.1.1.1 #
"mmld_confidence_high"
"mmld_direction_unknown"
"mmld_pushed"
"mmld_verybadIP"
05-30-2016 01:11 AM
Hi bspilde,
that is definitely possible. Solution:
- go to CONFIG and click on browse prototypes button
- search for stdlibg.dagPusher prototype and click on it
- click on the NEW button to create a new prototype based on that
- in the config section define the tag_prefix property, like in the picture below
- click OK
- and then create a new node based on this new prototype
When using this new prototype all the tags have prefix "badipbad_" and you can filter on "badipbad_pushed" to collect all the IPs pushed by this new node. Tags will look like:
1.1.1.1 #
"badipbad_confidence_high"
"badipbad_direction_unknown"
"badipbad_pushed"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
