Filter items from source feed

Thank you for the info, that is great.  I am adding it now and will let you know if I have any issues.  It does bring up two questions.

Is there a way, other than cloning and modifying, to edit prototypes?

Also, is there a doc somewhere that lists all the fields/options for the prototypes?

Thanks again!

Mike

Hi @deanm,

you can also edit the file /opt/minemeld/local/prototypes/minemeldlocal.yml and restart the engine.

An alternative, if you want to share your prototype, is creating a simple external extension with the prototype and share the extension. Example: https://github.com/PaloAltoNetworks/minemeld-cef

The config options available depend on the class of the node, you can find some details here: https://github.com/PaloAltoNetworks/minemeld-core/blob/master/docs/nodeconfig.rst

I thought this solved the question, but it does not appear that it did.

The node shows the full 55,000+ indicators, which may be normal with filters, I am not sure, but I am not seeing any addresses that should match the filters in any of my feeds.  The full prototype configuration is

    alienvault_reputation-Malicious_US-CA:

        class: minemeld.ft.csv.CSVFT

        config:

            attributes:

                confidence: 80

                share_level: green

                type: IPv4

            delimiter: '#'

            fieldnames:

            - indicator

            - alienvault_reliability

            - alienvault_risk

            - alienvault_type

            - alienvault_country

            outfilters:

            -   actions:

                - accept

                conditions:

                - alienvault_type == 'Malicious Host'

                name: accept Malicious

            -   actions:

                - accept

                conditions:

                - alienvault_country == 'US'

                name: accept US

            -   actions:

                - accept

                conditions:

                - alienvault_country == 'CA'

                name: accept CA

            -   actions:

                - drop

                name: drop all

            interval: 3600

            source_name: alienvault.reputation

            url: http://reputation.alienvault.com/reputation.data

        description: Malicious US and CA alienvault hosts

        development_status: EXPERIMENTAL

        indicator_types:

        - IPv4

        node_type: miner

        tags:

        - OSINT

        - ShareLevelGreen

I have tried using both infilters and outfilters as well as inbound and outbound feeds.

So far, nothing I have tried has ended up with an appropriate amount of indicators being listed (I check by using a regex search/count on the source alienvault feed).

Any thoughts, I am missing something?

Thanks,

Mike

Of course, that makes sense.  It seems to be working now, although the TX number is lower than the number I find when I do a regex search of the source file.

The main feed definition does not define inbound or outbound.  I am assuming it will default to inbound.  Is that assumption correct?

Thanks again for all your help!

Hi @deanm,

I have double checked the conditions, and you should change the config of the prototype to apply a more flexible match on the alienvault_type:

attributes:
    confidence: 80
    share_level: green
    type: IPv4
delimiter: '#'
fieldnames:
- indicator
- alienvault_reliability
- alienvault_risk
- alienvault_type
- alienvault_country
interval: 3600
outfilters:
-   actions:
    - accept
    conditions:
    - alienvault_country == 'US'
    - contains(alienvault_type, 'Malicious Host') == true
    name: accept US
-   actions:
    - accept
    conditions:
    - alienvault_country == 'CA'
    - contains(alienvault_type, 'Malicious Host') == true
    name: accept CA
-   actions:
    - drop
    name: drop all
source_name: alienvault.reputation
url: http://reputation.alienvault.com/reputation.data

About inbound, outbound: with this prototype IPv4 generated have no direction settings. This means you can use the Miner with both Inbound and Outbound IPv4 processors.

How does the contains change things?  It did add more, but this time too many (go figure).

Is there a way to see what it is matching?

As always, thanks for the help!

And how did you figure out all of the commands?

Hi @deanm,

before the filter were selecting only indicators with alienvault_type equals to "Malicious Host", now indicator where the alienvaule_type contains "Malicious Host". Some indicators have a string with multiple alienvault_types, like "Spamming Host;Malicious Host;FooBar". Your regex was selecting only the indicators where Malicious Host was at the end of the type field, the filters instead also select indicators where Malicious Host is in the middle or at the beginning of the type string. That's why you have more than expected.

You can see what is matching by looking at the logs of the processor node connected to the Miner and check for RECVD_UPDATE messages.

I know the commands because I wrote the code 🙂 Seriously, you can find more details here: https://github.com/PaloAltoNetworks/minemeld-core/blob/master/docs/nodeconfig.rst

Thanks,

luigi

Thanks again and that definitely makes sense on why you are so versed in the commands :-).  

The tool is great, it has made my job of managing my EDLs much, much easier (I am testing it at home and will deploy at work soon).

Is there a way to validate the number of addresses matched?  Meaning, if I look at the current reputation.data file and use a regex such as

"egrep -ce '(\d{1,3}\.){3}\d{1,3}\#\d{1,}#\d{1,}\#.*Malicious.*\#(CA|US)' reputation.data"

and that returns a count of 3356, should I see a similar or same number in Minemeld's Update TX counter for that miner?  At least, for the first run after an engine start

Hi @deanm,

the best way to validate is connecting an IPv4 processor node to the Miner and then check the UPDATE.RX counter on the processor node. In 0.9.38 the UPDATE.TX counter on the Miner is incremented even if the indicator is dropped by the output filters, this will be fixed in the next release.

Luigi