About alterioc

We are running Minemeld on CentOS7 (installed via Ansible). I am not able to delete any prototype or node that I've created. I get ERROR DELETING minemeld.<prototype/node>: TIMEOUT   Any idea what would cause this error and how to fix? I tried disabling the node before the delete but that didn't work either. I see nothing in the logs. Also can't find the command to display the minemeld version, to include it here, unfortunately.      Thanks for looking. ... View more

I'm trying to create a custom prototype to get the CIDRs from https://help.webex.com/en-us/WBX000028782/Network-Requirements-for-Webex-Teams-Services#Spark%20IP%20subnets%20for%20media/     I used the examples in https://live.paloaltonetworks.com/t5/MineMeld-Articles/MineMeld-to-Extract-Indicators-From-generic-API/ta-p/218757  and I'm using the minemeld.ft.http.HttpFT class, type IPv4,  but it isn't working.     I wanted to use: ignore_regex: ^(?!<li>) indicator: regex: '<li>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\/\d{2})) \(CIDR\).*<\/li> transform: \1   This gets me nothing. If I remove the \(CIDR\).*<\/li> from the indicator I get just the first CIDR and no others. What am I doing wrong?   ... View more

In one of our firewalls we have zone A which has network x.x.x.x/24, and zone B which has network y.y.y.y/24. There is a rule allowing traffic between them. Some high-ranking people at my company need to be able to block this traffic automatically at any time.  I wrote a powershell script which is triggered by the incident management system when an authorized person submits a ticket.  The PS script uses the API to disable the rule that allows the traffic and then do a commit. It works, but ideally I'd like to use something that does not require a commit.   I read about dynamic ip address & tag registration via xml api and I want to use this method to populate a dynamic address group, and use that group in a deny rule above the allow rule. The match criteria for the address group will be dynamic tag "blockme"; the api will add tag "blockme" to x.x.x.x/24, that address will get added to the dynamic address group, and access will be blocked. I got it to work but it appears that I can only register one ip address per command (versus x.x.x.x/24).     The command I am using in the PS script is: $AddTag=Invoke-RestMethod -uri "https://<firewall>/api/?type=user-id&command=<uid-message><type>update</type><payload><register><entry ip=`"x.x.x.x`"><tag><member>blockme</member></tag></entry></register></payload></uid-message>&key=$key"   Is this possible to do?  My attempts have failed and I can't find an example where it's done.  If not, then has anyone else had a need to do something similar, and found a better way than what I'm doing? I looked at auto-tagging but it doesn't seem to be a good fit for this situation.      The firewall is running 8.1.  Thank you for reading. ... View more

We have been running Minemeld on Ubuntu 18.04LTS, but since that OS is EOL  I am working on a replacement server running CentOS 7. The server was built for me by the server team and was joined to the domain. I use my AD credentials to ssh to the server and then use sudo on the install commands. I used the instructions in github and the install worked fine. But I can't log into the MineMeld webui. I get bad credentials. I tried admin with the default password minemeld but it failed.  I'm guessing it's looking for the server admin creds which only the server admins know. But I also tried my AD creds that I use to login to the server over ssh (since I added my AD userid/pwd to the minemeld group per the install instructions on github). Those also failed. I also tried creating a local user account testmm01, changing the password,  and adding it to the minemeld group -- no luck. Ideally I would like use my AD account for login to the webui and not have to use admin for anything. I tried restarting the minemeld service, to no avail. Is it possible to do what I'm trying to do?  If so, what needs to be done so that the webui will accept my AD creds?  Thank you.   $ sudo yum install -y wget git gcc python-devel libffi-devel openssl-devel zlib-dev sqlite-devel bzip2-devel $ wget https://bootstrap.pypa.io/get-pip.py  $ sudo -H python get-pip.py $ sudo -H pip install ansible $ git clone https://github.com/PaloAltoNetworks/minemeld-ansible.git $ cd minemeld-ansible $ ansible-playbook -K -e "minemeld_version=master" -i 127.0.0.1, local.yml $ sudo useradd testmm01 $ sudo passwd testmm01 $ sudo usermod -a -G minemeld testmm01 ... View more

Running Minemeld on Ubuntu VM. I upgraded from 0.9.44 to 0.9.48 to get the o365 api miners.  The API miners fail with "Bad Request" I tried restarting the API but that did not resolve the issue. Can someone advise me on what to do to fix this problem? Thank you       ... View more