Minemeld static url/ipv4/md5 list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Minemeld static url/ipv4/md5 list

L1 Bithead

Hi everyone,

we have installed minemeld in our facility and it's great, but we are having trouble implementing a solution that takes lists internally, our current goal is to update the list manually based on the ipv4 / url we get from our security team. Is there any guide that explains how this can be done?

 

Thanks ,

 

Angelo.

1 accepted solution

Accepted Solutions

Hi @porq91 ,

 

To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...

Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.

 

Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above

 

LocalDB miner

  • Purpose: Miner using prototype localDB allow to import indicators that are stored locally on the MineMeld. Those indicators are than parsed in format suitable for PAN FW EDL consumption
  • Steps to create:
    1. Find build-in prototype "stdlib.localDB" and  create new copy

Astardzhiev_0-1653748300820.png

 

 

  1. Since this prototype is in experimental state, we need to edit the shared level, so we can use standard output node to consume the indicators. Note here we can modify the default age_out value. Unfortunately, currently there is a bug for this typo (if age_out is modified when adding new indicator all current are removed)

Astardzhiev_1-1653748300823.png

 

 

  1. Using the new prototype create miner node

Astardzhiev_2-1653748300825.png

 

 

Astardzhiev_3-1653748300830.png

 

 

  1. Create output node using standard prototype and select as input the localdb node created earlier and commit the changes

Astardzhiev_4-1653748300835.png

 

 

  1. To add indicator to the list you need to send POST request with following details:
    1. URL: https://my-minemeld.local/config/data/XXXXXXXX-bad-domain_indicators/append?h=XXXXXXXX-bad-domain&t=localdb (highlighted string needs to correspond the miner node name you created above)
    2. Credentials: MineMeld admin account credentials are required (currently MineMeld doesn't support RBAC)
    3. Data must be in JSON format (send header Content-Type: application/json) as follow:

{

"indicator": "bad.example.com",

"type": "domain",

"comment": "Phishing domain",            

"share_level": "green",

"confidence": 100,

"ttl": "disable"                        

}

 

Indicator - contain the suspicious domain

Type - must be set to domain (other options are IPv4, URL, hash)

Comment - Optional, but good practice to keep track for the reason why this domain was added

Share_level, Confidence - Optional, used for filtering internally in MineMeld

TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully

View solution in original post

6 REPLIES 6

Hi @porq91 ,

 

To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...

Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.

 

Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above

 

LocalDB miner

  • Purpose: Miner using prototype localDB allow to import indicators that are stored locally on the MineMeld. Those indicators are than parsed in format suitable for PAN FW EDL consumption
  • Steps to create:
    1. Find build-in prototype "stdlib.localDB" and  create new copy

Astardzhiev_0-1653748300820.png

 

 

  1. Since this prototype is in experimental state, we need to edit the shared level, so we can use standard output node to consume the indicators. Note here we can modify the default age_out value. Unfortunately, currently there is a bug for this typo (if age_out is modified when adding new indicator all current are removed)

Astardzhiev_1-1653748300823.png

 

 

  1. Using the new prototype create miner node

Astardzhiev_2-1653748300825.png

 

 

Astardzhiev_3-1653748300830.png

 

 

  1. Create output node using standard prototype and select as input the localdb node created earlier and commit the changes

Astardzhiev_4-1653748300835.png

 

 

  1. To add indicator to the list you need to send POST request with following details:
    1. URL: https://my-minemeld.local/config/data/XXXXXXXX-bad-domain_indicators/append?h=XXXXXXXX-bad-domain&t=localdb (highlighted string needs to correspond the miner node name you created above)
    2. Credentials: MineMeld admin account credentials are required (currently MineMeld doesn't support RBAC)
    3. Data must be in JSON format (send header Content-Type: application/json) as follow:

{

"indicator": "bad.example.com",

"type": "domain",

"comment": "Phishing domain",            

"share_level": "green",

"confidence": 100,

"ttl": "disable"                        

}

 

Indicator - contain the suspicious domain

Type - must be set to domain (other options are IPv4, URL, hash)

Comment - Optional, but good practice to keep track for the reason why this domain was added

Share_level, Confidence - Optional, used for filtering internally in MineMeld

TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully

Thanks @aleksandar.astardzhiev, much appreciated.

 

However I have a couple of concerns:

 

First, the url https://my-minemeld.local, should my-minemeld.local be replaced with the ip of the machine that hosts minemeld?

 

Second of all, I have no idea how to do the POST request you recommended.

 

 

Excuse the stupid question but this is the first time I have worked on this kind of application. 

Hi @porq91 ,

- Yes my-minemeld.com is just an example, which you need to replace with the hostname/ip address of your own MineMeld. Same goes for "XXXXXXXX-bad-domain" - you need to replace that as well with the name you use in your config

- I ment HTTP POST request - if you look at the link, somewhere around the end of the post there is "Annex 2" which is explaining how you can send API request to add/remove new indicators to the list. What I forgot to mention is that you can add/remove indicators manually through MineMeld GUI - go to Nodes -> Click on your localDB miner, there will be additional tab listing all current indicators and allowing you add or remove

Astardzhiev_0-1653762500903.png

 

Adding indicators via the GUI could be tidious, especially if you need to add bulk of indicators. In addition you can have somekind of automation that could benefit from the API and add/remove indicators using the explained API POST requests.

L1 Bithead

Work greatly,

 

just last thing, if i wanted to add multiple ip's at once is this the right format?

because in this way it does not add all the ip's

 

curl --insecure -XPOST -H "Content-Type: application/json" -u admin:minemeld "https://10.0.0.4/config/data/node-bad-domain_indicators/append?h=node-bad-domain&t=localdb" -d '
{
"indicator": "8.8.8.8",
"indicator": "8.8.8.2",
"indicator": "1.1.21.1",
"indicator": "1.1.51.1",
"indicator": "1.15.1.1",
"indicator": "1.6.1.1",
"indicator": "1.1.2.1",
"indicator": "1.1.3.1",
"indicator": "1.4.1.1",
"indicator": "2.1.1.1",
"type": "IPv4",
"comment": "usual Google DNS Public IP",
"share_level": "green",
"confidence": 100,
"ttl": 3600
}'

Hi @porq91 ,

I don't believe you can add multiple indicators with single API call... My approach for adding bulk of indicators when creating localdb for the first time was "quick and dirty" bash scripting - reading from a file each entry on new line, with for loop repeating the curl command for each indicator.

L1 Bithead

Thanks a lot dude, very helpful.😘

  • 1 accepted solution
  • 3617 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!