Disabling Indicator Expiration

cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling Indicator Expiration

L2 Linker

@lmori, thank you for your help so far.

I am migrating my data to the "stdlib.localDB" miner, per your suggestion here.

I have two questions now:

First, I noticed that the default expiration for indicators added to this miner is just one day. How can I change this to one year? What about disabling expiration by default?

Second, I am trying to push indicators to this new miner via json (this would be irrelevant if you can answer my first question)
I tried to set ttl = -1 to disable expiration, but that didnt work. Since 0 deletes the indicator, not sure what to use here.
How can I disable expiration for these indicators through the API call?


curl -XPOST -H "Content-Type: application/json" -u admin:<ommited> "http://localhost/config/data/feed_any_indicators/append?h=feed_any&t=localdb" -d '
[
{
"indicator": "219.101.37.81",
"type": "IPv4",
"comment": "Win32.Conficker.Cp2p",
"share_level": "green",
"Confidence": 100,
"ttl": -1
},
{
"indicator": "82.188.123.234",
"type": "IPv4",
"comment": "Win32.Conficker.Cp2p",
"share_level": "green",
"Confidence": 100,
"ttl": -1
}
]'


FYI, the command is working. When I remove the ttl field, the miner is added and the expiration is set to 24 hours.

1 ACCEPTED SOLUTION

Accepted Solutions

L7 Applicator

Hi @alyssonalmeida,

with tth: -1 you are removing the indicator, you can use this to disable expiration:

{
[...]
    "ttl": "disabled"
}

Or you can create a new prototype based on stdlib.localDB and set the expiration to disabled by default:

age_out:
    sudden_death: true
    default: null

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @alyssonalmeida,

with tth: -1 you are removing the indicator, you can use this to disable expiration:

{
[...]
    "ttl": "disabled"
}

Or you can create a new prototype based on stdlib.localDB and set the expiration to disabled by default:

age_out:
    sudden_death: true
    default: null

View solution in original post

How do you enable the ttl after it has been disabled?

 

I tried setting the ttl: -1, ttl: 0, ttl: enable, and ttl: enabled, but it still shows disabled when I look at the node indicator table in MineMeld.

 

Thanks.

Hi @lkrous,

you can do that by setting a valid ttl. Countdown to expiration will start from the update time.

{
    "indicator": "8.8.8.8",
    "type": "IPv4",
    "comment": "usual Google DNS Public IP",
    "share_level": "green",
    "confidence": 100,
    "ttl": 3600
}'
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!