This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Same Version Differnt Results

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Same Version Differnt Results

0isac0
L1 Bithead

‎08-31-2017 07:34 AM

I have two instances of MineMeld, both built off the instructions at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Manually-install-MineMeld-on-Ubuntu-Server-14...

 

My dev instance built in June and reporting version 0.9.40 appears to be functioning correctly

My prod instance built in Aug and reporting version 0.9.40 appears to be simply echoing the raw data as the output.

 

This does not occur on all datafeeds.  In particular it does occur on a cloned protoype for IPv4, stdlib.aggregatorIPv4Generic.

The source miner nodes all report the same number of IOCs.  Once the data hits the processor node the dev instance reports 139 IOCs while the prod reports 1236 IOCs.

 

I have attempted to verify permissions, compare files etc.  The last modification was copying the same custom prototypes file minemeldlocal.yml to both instances.

 

What am I missing?

 

0 Likes Likes
3 REPLIES 3

xhoms
L5 Sessionator

‎08-31-2017 08:24 AM

Thinks I'd check:

  • Grab configuration files from both instances (Config -> Export) and double check they're exactly the same.
  • Deep dive into the filter configuration section of all processors and output nodes. Different share_levels and confidence matching conditions could explain it.
  • Verify the share_level attribute in the miners is the expected one.
0 Likes Likes

0isac0
L1 Bithead
In response to xhoms

‎08-31-2017 09:01 AM

xhoms - Yep, had done all that which is what was really confusing me.

 

Update: I stopped services, deleted all exisiting data files in /opt/minemeld/local/data, restarted services.
Now the two instances are reporting the same numbers across the board.

 

Am I possibly correct in assuming there was some difference in learned confidence values as the dev instance had been runnning for an additional 60ish days, or some other built in logic?

0 Likes Likes

xhoms
L5 Sessionator
In response to 0isac0

‎08-31-2017 09:10 AM

Depending on the age_out policy of a miner you can expect the instance running for more time to keep indicators that have never been seen by the newer instance. But if the number of indicators at the miner level between instances is the same then I would assume they all have the same confidence values.

 

A common mistake is to "clone" a miner prototype from the library that has "share_level = red" and attaching it to a processor with a filter that only accepts indicators in the "share_level = green"

0 Likes Likes
  • 3597 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks