Local indicators
MineMeld supports Miners where the list of indicators is stored in a local database inside the MineMeld instance. These Miners can be used to define a static list of malicious indicators or a static whitelist (for more details about using a Miner as a whitelist check the article https://live.paloaltonetworks.com/t5/MineMeld-Articles/Creating-whitelists/ta-p/72250).
You can add, delete and change the indicators stored in these Miners directly from the WebUI (the following screenshot shows an example of a whitelist, same applies to malicious indicator lists):
Prototypes for Miners of local indicators
stdlib.listDomainGeneric
List of domain indicators
stdlib.listIPv4Generic
List of IPv4 indicators
stdlib.listIPv6Generic
List of IPv6 indicators
stdlib.listURLGeneric
List of URL indicators
Uploading indicators to MineMeld
Using the MineMeld API you can upload indicators to Miners of local indicators. This can be automated using the minemeld-sync.py script: https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785
Requirements
To use the script Python 2.7.9+ is required. If you are planning to use the script from Linux or Mac OS X, python should be already available in your environment. Otherwise you can download and install python from here https://www.python.org
List of indicators
The list of indicators to be uploaded should be stored in a plain text file, one line per indicator:
8.8.8.8 8.8.4.4 10.0.0.0/8
You can also add comments to each indicator, to be stored in the indicator comment attribute in MineMeld:
# Google public DNS (this will be placed in the comment attribute) 8.8.8.8 # Google public DNS (this will be placed in the comment attribute) 8.8.4.4 # Private network (in the comment attribute, again) 10.0.0.0/8
You can also specify custom attributes, with the format @<attribute name>: <attribute value>:
# Google public DNS (this will be placed in the comment attribute) # @direction: inbound 8.8.8.8 # Google public DNS (this will be placed in the comment attribute) # @direction: inbound 8.8.4.4 # Private network (in the comment attribute, again) # @direction: inbound # @confidence: 60 10.0.0.0/8
How to
Download the script from this webpage and save it in a file called minemeld-sync.py. If you have wget installed you can use:
wget -O minemeld-sync.py https://gist.githubusercontent.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785/raw
Use the following command line to upload the IPv4 indicators stored in the file indicators.lst to the MineMeld instance with URL https://192.168.1.1, using the username admin and password minemeld:
python minemeld-sync.py -m https://192.168.1.1 -u admin -p minemeld -t IPv4 --share-level red wlWhiteListIPv4 indicators.lst
(OPTIONAL) By default old indicators are not removed from the Miner. If you prefer a full sync of the local list with the remote miner, add the options --update and --delete to the command line:
python minemeld-sync.py -m https://192.168.1.1 -u admin -p minemeld -t IPv4 --delete --update --share-level red wlWhiteListIPv4 indicators.lst
Remote certificate verification
By default remote MineMeld certificate is verified using certifi package (if installed), or using the CA bundle file or CA certs directory specified via the --ca-path option:
python minemeld-sync.py -m https://192.168.1.1 --ca-path /etc/ssl/certs -u admin -p minemeld -t IPv6 IPv6ListMiner my-ipv6-addresses.lst
To disable remote certificate verification use the option -k:
python minemeld-sync.py -m https://192.168.1.1 -k -u admin -p minemeld -t IPv6 IPv6ListMiner my-ipv6-addresses.lst
... View more