07-29-2016 05:31 AM
Hello,
I am very happy, that I can create dynamical lists for using it in the PA. So I use ransomwaretracker.RW_URLBL with stdlib-aggregatorURL as prozessor and stdlib.feedHCGreen as output to create a URL-list. So I got a list like:
... http://217.64.197.138/~rivista_ipi/4kkmkfz http://237travellin.com/92nwao23 http://237travellin.com/telo70 ...
I have tested it as described in:
But it does not work. It's works only, if the entries in the list not have a leading "http://". It's ok, the sites can also have https, and for checking a URL, it is not important. What's wrong? Have I make a mistake? Or is this a issue (Minemeld or PaloAlto?)?
Thanks for your efforts
07-29-2016 05:37 AM - edited 07-29-2016 05:38 AM
Hi Bohem,
you should append "?v=panosurl" to the URL of the feed inside the EDL configuration. Something like:
https://<minemeld>/feeds/ransomwarefeed?v=panosurl
This will instruct MineMeld to convert URL indicators into PAN-OS EDL format.
Luigi
07-29-2016 06:06 AM
Hi Ralf,
there is no much documentation about the format. Currently (0.9.18) you can use the following values for the v parameter:
<no v parameter> - output format is just a plain text list of indicators
json - output in JSON
json-seq - output in JSON SEQ format (RFC7464)
panosurl - for URL indicators, formatted in PAN-OS EDL compatible format
Note that for json and json-seq to show attributes of the indicators, the output node should be based on prototypes feed*WithValue. Example: if you use feedHCGreen you are only able to see the indicators in the output. If instead you use feedHCGreenWithValue, you are also able to see all the attributes of each indicator.
Thanks,
luigi
07-29-2016 05:37 AM - edited 07-29-2016 05:38 AM
Hi Bohem,
you should append "?v=panosurl" to the URL of the feed inside the EDL configuration. Something like:
https://<minemeld>/feeds/ransomwarefeed?v=panosurl
This will instruct MineMeld to convert URL indicators into PAN-OS EDL format.
Luigi
07-29-2016 05:53 AM
Hi Luigi,
great (and very fast answer 😉 ) I have really search befor I ask this questions. 😉 Ok. Now it's works, and I will have a nice weekend. 🙂 Thank you very mutch.
Is there a list of options, which can used for fromatting the lists?
Ralf
07-29-2016 06:06 AM
Hi Ralf,
there is no much documentation about the format. Currently (0.9.18) you can use the following values for the v parameter:
<no v parameter> - output format is just a plain text list of indicators
json - output in JSON
json-seq - output in JSON SEQ format (RFC7464)
panosurl - for URL indicators, formatted in PAN-OS EDL compatible format
Note that for json and json-seq to show attributes of the indicators, the output node should be based on prototypes feed*WithValue. Example: if you use feedHCGreen you are only able to see the indicators in the output. If instead you use feedHCGreenWithValue, you are also able to see all the attributes of each indicator.
Thanks,
luigi
09-04-2016 07:17 PM
Luigi, Thanks alot, i need this too, you never fail to impress us. 😃
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
