Minemeld Indicators Number not equal Firewall DAG Members List

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Minemeld Indicators Number not equal Firewall DAG Members List

L1 Bithead

Hi everyone,

 

I tried to reference all the Windows RODC (Read-Only Domain Controllers) using a custom script. The script is working fine : it queries our Active Directory, and returns a JSON list of RODC. Each indicator listed by the script looks like this :

{
	"indicator": "ip.add.re.ss",
	"value": {
		"comment": "This is a comment",
		"confidence": 100,
		"type": "IPv4",
		"share_level": "green"
	}
}

 

I then used an import script found here : https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785 which works fine too : it imports all the indicators (around 130) into the configured miner in Minemeld :

GREMAUDO_0-1594979428303.png

 

I then send these indicators directly to some output nodes :

GREMAUDO_1-1594979557569.png

 

I used a classic Output feed (as a test output). For populating the firewall, I used the DAG Pusher prototype, one that used our Panorama (CrfRodcDAG) and another one for testing purposes that sends the indicators directly to a firewall (CrfRodcDAG_Test). If we focus on the latter, here is it's configuration :

GREMAUDO_2-1594979751746.png

 

The firewall has a Dynamic Address Group configured, that matches the MineMeld tag "MM_RODC" :

GREMAUDO_3-1594979868103.png

 

At first, it looked like everything worked fine :

  • If a new RODC was found, it was added after a short timer in the firewall.
  • If a RODC was deleted, it was suppressed from the DAG

 

However, after a few more tests in Minemeld, I restarted the MineMeld engine several times. And I began having some discrepancies between Minemeld and the firewall : MM still had 130 indicators, but the firewall only got 22, then 90, sometimes 126, then after a few seconds, dropped down to zero... The only way I found to stabilise the situation was to clear all registered IPs from the firewall, and then restart MineMeld engine. But again, if the MineMeld machine restarts or receives modifications, it "breaks" the whole system...

 

For instance, right now, MineMeld lists 129 indicators, while only 36 are listed by the Firewall...

 

I check with PAN support if the issue could be with the firewall, but they saw nothing suggesting that.

 

Do you have any idea on the possible cause of this issue ?

 

Kind regards.

1 REPLY 1

L1 Bithead

As I keep on looking for a solution, I tried using a more common EDL.

 

As of now, the firewall is getting the right number of indicators, with no difference with the values gathered by Minemeld.

 

I'm therefore wondering if there is a bug with the DAG Pusher prototype... Has anyone got this kind of issue in the past ?

 

Thanks.

  • 2352 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!