{"id":2296,"date":"2016-08-28T18:01:09","date_gmt":"2016-08-28T17:01:09","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=2296"},"modified":"2016-08-28T18:01:09","modified_gmt":"2016-08-28T17:01:09","slug":"palo-alto-minemeld-example-configuration","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/08\/2016\/palo-alto-minemeld-example-configuration\/","title":{"rendered":"Palo Alto MineMeld Example Configuration"},"content":{"rendered":"<p>MineMeld is an <em>&#8220;extensible Threat Intelligence processing framework and the &#8216;multi-tool&#8217; of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.&#8221;<\/em><\/p>\n<p>It was recently open-sourced by Palo Alto and can be found on <a href=\"https:\/\/github.com\/PaloAltoNetworks\" target=\"_blank\">Github<\/a>.<\/p>\n<p><!--more--><\/p>\n<p>Essentially it can be used to grab IP\/URL\/Domain feeds from anywhere on the internet (a miner), aggregate and process the feed or feeds using regex if necessary (a processor) and output them in a format suitable to use in an External Dynamic List object on a Palo Alto firewall.<\/p>\n<p>Technically the outputs can be used for anything you want but they work with dynamic lists on the Palo Alto&#8217;s out of the box.<\/p>\n<p>I&#8217;ve\u00a0only used MineMeld for a few weeks but I have a few feeds configured &#8211; I&#8217;ll go through the configuration of one of them now. It&#8217;s pretty straight forward but hopefully it&#8217;ll come in handy.<\/p>\n<h3>Blocking Tor Exit Nodes<\/h3>\n<p>In this example we&#8217;ll do the following:<\/p>\n<ul>\n<li>Configure the tor exit node\u00a0(miner)<\/li>\n<li>Configure an aggregator (processor)<\/li>\n<li>Configure the output in a format suitable for your PAN firewall (output)<\/li>\n<li>Configure a new\u00a0External Dynamic List (EDL) object on your Palo to look for the output you created in MineMeld<\/li>\n<li>Create a new security policy on the firewall to block outbound access to the Tor exit nodes.<\/li>\n<li>Confirm the EDL object on the firewall is being populated<\/li>\n<li>Confirm that traffic to Tor exit addresses are indeed being blocked<\/li>\n<\/ul>\n<p>Let&#8217;s get started&#8230; if you don&#8217;t have MineMeld set-up already then you should probably do that first before continuing! You can <a href=\"https:\/\/live.paloaltonetworks.com\/t5\/MineMeld-Articles\/Running-MineMeld-on-VMWare-desktop\/ta-p\/72038\" target=\"_blank\">download the .ova<\/a> so you can use it in VMware (I have it set up on VMware workstation at the moment) or <a href=\"https:\/\/live.paloaltonetworks.com\/t5\/MineMeld-Articles\/Manually-install-MineMeld-on-Ubuntu-Server-14-04\/ta-p\/98454\" target=\"_blank\">install it manually on Ubuntu<\/a> (installing it manually is probably best for a production environment)<\/p>\n<ol>\n<li>First let&#8217;s configure the Tor miner. This essentially sets up a process in MineMeld to go and grab the list of Tor exit nodes. Tor makes this information <a href=\"https:\/\/check.torproject.org\/exit-addresses\" target=\"_blank\">available publicly<\/a>. As you can see, the format is not suitable for import just yet.Click\u00a0<strong>Config<\/strong> in MineMeld. You&#8217;ll see a bunch of default miners, processors and outputs. I deleted all of them as they weren&#8217;t useful for me.<br \/>\nClick the Add button and give the miner a useful name. From the prototype dropdown select\u00a0<strong>tor.exit_addresses.\u00a0<\/strong>There are no inputs. Click Save.<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.33.25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2299\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.33.25.png\" alt=\"Screen Shot 2016-08-28 at 15.33.25\" width=\"807\" height=\"348\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.33.25.png 807w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.33.25-300x129.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.33.25-768x331.png 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/a><\/li>\n<li>Now we want to set up a feed aggregator\/processor. Click the Add button again and this time choose the processor\u00a0<strong><strong>stdlib.aggregatorIPv4Generic<\/strong><\/strong><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.37.28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2300\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.37.28.png\" alt=\"Screen Shot 2016-08-28 at 15.37.28\" width=\"795\" height=\"273\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.37.28.png 795w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.37.28-300x103.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.37.28-768x264.png 768w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/a><\/li>\n<li>Lastly we want to create an output. This is essentially a clean, formatted version of the raw IP addresses we saw in step 1. Click the Add button and give the output an appropriate name and select\u00a0<strong>stdlib.feedHCGreen\u00a0<\/strong>from the dropdown. Make sure you select the processor\/aggregator as the input.<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.53.37.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2301\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.53.37.png\" alt=\"Screen Shot 2016-08-28 at 15.53.37\" width=\"796\" height=\"276\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.53.37.png 796w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.53.37-300x104.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.53.37-768x266.png 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/a><\/li>\n<li>Commit the changes by clicking on the Commit button on the top left of the Config screen. Within a few minutes your\u00a0<strong>Nodes<\/strong> page should look like the below. Don&#8217;t forget that if you are blocking the app-id tor on your Palo, MineMeld won&#8217;t be able to get the IP address list from the tor web server!<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2302\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40.png\" alt=\"Screen Shot 2016-08-28 at 15.57.40\" width=\"1227\" height=\"461\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40.png 1227w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40-300x113.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40-768x289.png 768w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-15.57.40-1024x385.png 1024w\" sizes=\"auto, (max-width: 1227px) 100vw, 1227px\" \/><\/a>If you click the tor-exit-nodes-output, you&#8217;ll see a\u00a0<strong>feed base url<\/strong> field with a direct link to the feed which is now hosted on your MineMeld server. This is what we&#8217;ll use in the Palo next.\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.01.57.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2303\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.01.57.png\" alt=\"Screen Shot 2016-08-28 at 16.01.57\" width=\"1004\" height=\"537\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.01.57.png 1004w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.01.57-300x160.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.01.57-768x411.png 768w\" sizes=\"auto, (max-width: 1004px) 100vw, 1004px\" \/><\/a><\/li>\n<li>Now let&#8217;s create an\u00a0External Dynamic List object on the firewall. Click\u00a0<strong>Objects\u00a0<\/strong>then\u00a0<strong>External Dynamic List<\/strong>. Click\u00a0<strong>Add<\/strong> and fill in the details &#8211; the most important is the feed url which is the one we looked at just above. Click\u00a0<strong>Test Source URL<\/strong> which should report back a success message. If it doesn&#8217;t then ensure your Palo can access\u00a0your MineMeld server).<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.17.39.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2305\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.17.39.png\" alt=\"Screen Shot 2016-08-28 at 16.17.39\" width=\"492\" height=\"206\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.17.39.png 492w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.17.39-300x126.png 300w\" sizes=\"auto, (max-width: 492px) 100vw, 492px\" \/><\/a><\/li>\n<li>Now we&#8217;ll create a security policy that will block all outbound access to this dynamic list; aka Tor exit node IP&#8217;s. Create a security policy as you normally would but this time put the new external dynamic list as a destination address. For example:<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2306\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37.png\" alt=\"Screen Shot 2016-08-28 at 16.25.37\" width=\"1048\" height=\"74\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37.png 1048w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37-300x21.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37-768x54.png 768w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.25.37-1024x72.png 1024w\" sizes=\"auto, (max-width: 1048px) 100vw, 1048px\" \/><\/a><\/li>\n<li>Now we want to make sure the EDL is being populated correctly on the firewall. Log-in to the CLI and run the following command:\n<pre class=\"lang:default decode:true \">request system external-list show type ip name minemeld-tor-exit-nodes<\/pre>\n<p>You should see something like this if the firewall is successfully pulling the information down from your MineMeld server.<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.29.08.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2307\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.29.08.png\" alt=\"Screen Shot 2016-08-28 at 16.29.08\" width=\"583\" height=\"230\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.29.08.png 583w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.29.08-300x118.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/a><\/li>\n<li>Finally&#8230; time to test the block list to make sure we&#8217;re actually blocking requests to the Tor exit nodes. I attempted to initiate a few requests to a Tor exit node via http, https and ssh. As expected, they were all blocked by the firewall:<a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.32.27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2308\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.32.27.png\" alt=\"Screen Shot 2016-08-28 at 16.32.27\" width=\"1000\" height=\"491\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.32.27.png 1000w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.32.27-300x147.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2016\/08\/Screen-Shot-2016-08-28-at-16.32.27-768x377.png 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>MineMeld is an &#8220;extensible Threat Intelligence processing framework and the &#8216;multi-tool&#8217; of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks security platforms.&#8221; It was recently [&hellip;]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[249,248,220],"class_list":["post-2296","post","type-post","status-publish","format-standard","hentry","category-tech","tag-external-dynamic-list","tag-minemeld","tag-palo-alto"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-B2","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=2296"}],"version-history":[{"count":6,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2296\/revisions"}],"predecessor-version":[{"id":2311,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2296\/revisions\/2311"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=2296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=2296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=2296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}