The CIF miner. We're experiencing some behavior that is different than we expected with the number of indicators that persist after setting sudden_death:true, and not sure if indicators are dropping from the feed that is pulled from the source or if there is other logic in the miner that is contributing to the behavior. When running a standard cif query, the number of indicators is consistent.
in the CIF Miner queries are incremental, that basically means that:
- the first query performed after you create the node is for the last 7 days worth of indicators (this can be set using the initial_days parameter in the prototype)
- after the first query, each query will grab all the indicators added to the CIF server since the last poll
If you set sudden_death to true, only the indicators retrieved with the last query will be stored - all the old ones will be expired. The default behavior of the prototype is:
age_out: default: last_seen+30d sudden_death: false
That means that an indicator will survive for 30 days after the last time it was seen in a query.
That being said you can edit the file /opt/minemeld/supervisors/config/conf.d/minemeld-engine.conf and add "--verbose" on the command line. After that "sudo service minemeld restart". You will then be able to see the CIF query in the minemeld-engine.log file.
After enabling the --verbose command line, I can see the CIF parameters of --reporttime and --reporttimeend with the values being about 60 minutes apart.
Essentially, I'm trying to understand the logic of the CIF miner to figure out how to properly configure a miner to receive the appropriate # of indicators from the feeds that we have access to while working within the limitations of the external block lists for the firewall model we utilize.
How does the last_seen value get calculated? Does minemeld store the indicators after each run and set the last_seen value for each indicator and compare regularly. Thanks for your help - Bill
yes, exactly. The CIF miner (as most of the Miners) have a local table where they store indicators. The indicators are refreshed after each poll, and based on the final result age out policy is applied. So basically using a last_seen+30d age out policy an indicator will expire 30 days after the last poll where it showed up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!