Getting "engine fatal" error in Minemeld.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Getting "engine fatal" error in Minemeld.

L2 Linker

Hi Luigi, this is in reference to ticket 00632153.  Two issues here: 

 

1. While attempting to work on issue #2, I noticed that I am getting an "engine fatal" error in Minemeld. Version is 9.34. Have restarted engine, but the issue is still there. 

 

2. I would like to build a custom exclusion for the below Amazon IP list so that addresses are dynamically updated and can be allowed by Minemeld and an access rule in our Palo Alto that points to it. Is this possible in 9.3.4 or do I  need an upgrade? 

 

Amazon list: 

 

https://ip-ranges.amazonaws.com/ip-ranges.json

 

Article you wrote about how to do this. Want to make sure that this is still the best way to do this? 

 

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/What-s-new-in-MineMeld-0-9-9/m-p/76690#U76...

 

thanks for all your help! 

 

 

3 REPLIES 3

L7 Applicator

Hi @BobHarrison,

there is a builtin prototype to monitor that URL aleady, it's called aws.AMAZON. There a many ways you can use this Miner, following are the 2 most common use cases:

 

1. Direct EDL for PAN-OS

If you want to create a feed for those AMAZON IP ranges, you can go in CONFIG > IMPORT, paste the following snippet and then press APPEND (and COMMIT :-)). You can then point PAN-OS EDL to https://<minemeld>/feeds/feedAmazonIPs.

nodes:
  amazonIPs:
    inputs: []
    output: true
    prototype: aws.AMAZON
  feedAmazonIPs:
    inputs:
      - amazonIPs
    output: false
    prototype: stdlib.feedHCGreenWithValue

2. WHITELIST in MINEMELD

If instead you would like to use those IP Ranges for whitelisting indicators directly on MineMeld you can use the following snippet:

nodes:
  wlAmazonIPs:
    inputs: []
    output: true
    prototype: aws.AMAZON

This will create a Miner for AMAZON IPs that you can connect to IPv4 aggregators to automatically remove Amazon IPs from the feeds. The trick here is the "wl" prefix in the name of the Miner. Aggregators treat as whitelist all the indicators coming from Miner starting with wl. See the example graph below, aggregatorIPv4 automatically removes indicators sent by ransomwaretacker_RW_IPBL overlapping the ranges coming from wlAmazonIPs.

 

Screen Shot 2017-03-10 at 11.57.43.png

Hi Luigi, thanks for your input. 

 

1. I am still getting "engine-fatal" issue in Minemeld? 

 

2. What is the preferred method of the two? Currently we are using minemeld by having a DENY access-list that points to "Emerging threats feed", "high confidence feed", etc.  Should I be creating a second access-list that is a PERMIT list that points to the url of our minemeld server? 

Hi @BobHarrison,

  1. please, could you download and send me the minemeld-engine.log file from SYSTEM > DASHBAORD > ENGINE > LOGS ? My email address is lmori@paloaltonetworks.com
  2. It depends on your what is your ultimate goal. If you would like to allow all the traffic going to any AMAZON service, then the best way to do it is a new EDL pointing to the new feed. If instead you want to be sure that your OSINT feeds are not blacklisting any Amazon IP address, then you should go for solution 2) - whitelist inside MineMeld.
  • 3941 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!