Minemeld Edl Input



  1. Palo Alto Minemeld Edl
  2. Minemeld Edl Palo Alto
  3. Minemeld Edl Input Command
Minemeld

Input: Threat Feeds. OSINT. Commercial. Organization (CERT, ISAC). Autofocus Processors. IPv4/IPv6 aggregator. URL aggregator. Domain aggregator Outputs. JSON. STIX/TAXII. External Dynamic List (EDL). Elastic Logstash End Point Enforcers Network Enforcers FW, IPS SIEM. Specify the EDL name for IP handling. Optional Miner This input determines whether Palo Alto Networks Minemeld is used. Specify Miner name to update with the malicious indicators. Optional StaticAddressGroup This input determines whether Palo Alto Networks Panorama or Firewall Static address groups are used.

MineMeld is an open source threat feed management system that gathers IP addresses, URLs, and domains which pose a significant network security threat. The threat feed sources can either be free, subscription-based or proprietary. MineMeld re-scans the feeds at regular time intervals and continuously aggregates and updates the set of all threat indicators to be consumed by fierwalls, IDS/IPS, or any other security device.

Minemeld

MetaFlows now includes MineMeld public threat feeds to augment our existing intelligence sources. The public threat feeds amount to about 200,000 additional indicators updated every few hours. Users also have the ability to add site-specific (either subscription-based or private) MimeMeld sources.

IPv4 and URL/Domain indicators are treated differently.

IPv4 feeds

The default MineMeld IPv4 feeds processed by MetaFlows are below:

SourceCurrent Number of Indicators
https://lists.blocklist.de/lists/all.txt56953
https://feodotracker.abuse.ch/blocklist.php?download=badips61
https://www.binarydefense.com/banlist.txt4098
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt459
https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt2473
https://www.dshield.org/block.txt20
http://malc0de.com/bl/IP_Blacklist.txt105
http://www.malwaredomainlist.com/hostslist/ip.txt1001
http://reputation.alienvault.com/reputation.data70666
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt315
https://www.spamhaus.org/drop/drop.txt770
https://www.spamhaus.org/drop/edrop.txt113
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv136

Palo Alto Minemeld Edl

MineMeld IPv4 addresses are compiled in a set of IDS/IPS rules designed to alert or block communications to blacklisted addresses. MetaFlows uses a proprietary technique to quickly look through this huge list of addresses (140,000+) and therefore does not require specialized hardware for hi-speed networks.

Minemeld Edl Input

The MineMeld IPv4 feeds are in the mmreputation.rules configuration file that can be accessed through the existing IDS rule management UI. The feeds are not activated by default but users can activate them in IDS or IPS mode with just a few clicks. If enabled, these rules can be very useful to detect and/or prevent communication to questionable hosts on the Internet.

All the IP addresses are reduced to approximately 40 separate signatures. Each signature corresponds to a specific feed source (for example blocklist_de) or intersections of sources where the IPv4 address is present in more than one source (for example blocklist_de_alienvault.reputation). This decomposition provides additional operational awareness that can be used to prioritize which set of IPs to alert on or block. Enabling or blocking individual signatures therefore affects a dynamically changing set of potentially thousands of IPs updated every few hours that map to a single threat feed or the intersection of multiple threat feeds.

Users also have the option of adding site-specify MineMeld IPv4 feeds to enable additional commercial MineMeld subscriptions independently purchased or other proprietary feeds.

Entering the URL as shown above, will automatically add the custom MineMeld reputation feed into the customer’s configuration and the local rule corresponding to the feed can then be managed as the other public MineMeld feeds.

URL and Domain FeedS

The MineMeld domain and URL feeds processed by MetaFlows are below:

SourceCurrent Number of Indicators
https://www.badips.com/get/list/any/3?age=2w33593
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt719
http://malc0de.com/bl/BOOT111
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt1903
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt11567
https://ransomwaretracker.abuse.ch/downloads/TC_DS_URLBL.txt271
https://urlhaus.abuse.ch/downloads/text/102880
http://vxvault.net/URL_List.php101

These feeds are used to detect when:

  • A user issues an HTTP request to a URL or domain deemed to be malicious or
  • A user receives an email containing a malicious URL or link to a malicious domain whether or not the user clicks on the links.

When either of these two conditions occur, a high priority even is generated that can be used to block those specific communications.

Minemeld Edl Palo Alto

There is also a an additional option to enable real time email notification. When bad emails are detected, users also get a warning email instructing them to discard the email.

Minemeld Edl Input Command

MineMeld support will automatically be added next time your system self updates or if the sensor software is restarted.