It appears that some STIX feeds (e.g. hailataxii : phishtank) tag entries with tlp:white .. which means that are excluded by the inbuilt outputs which seem to only go as low as green ... I would imagine this could catch many people out.. thoughts on adding a

tlp:*
and
confidence:>0

default for people to start with ?

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Current score: 50
Target threshold: 100
Total possible: 110

The number of returned values for some of our queries using CIF are, at times, very high and threatening to exceed the limitations of our PA gear. Can we get access to more of the CIF options for filtering such as limit, tlp, description or provider.

Hello Folks,

There are some updated miners that I would like to access in 0.9.70. When I run the auto update command it states I am on the best version @ 0.9.52...
The output I receive after running the auto update command

**2020-06-02 16:01:18,831 INFO:0.9.11 Current status:
2020-06-02 16:01:18,831 INFO:0.9.11 minemeld-engine: current: 0.9.52.post1 latest: 0.9.52.post1
2020-06-02 16:01:18,832 INFO:0.9.11 minemeld-webui: current: 0.9.52 latest: 0.9.52
2020-06-02 16:01:18,832 INFO:0.9.11 minemeld-prototypes: current: 0.9.52.post1 latest: 0.9.52.post1
2020-06-02 16:01:19,262 DEBUG:0.9.11 curl output:
2020-06-02 16:01:19,390 DEBUG:0.9.11 curl output:
2020-06-02 16:01:19,390 DEBUG:0.9.11 gpgv: /usr/bin/gpgv --ignore-time-conflict --keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/minemeld.gpg /tmp/mmaupackagesgpg8W__86 /tmp/mmaupackagesp5rJjD
2020-06-02 16:01:19,396 INFO:0.9.11 gpgv output: gpgv: Signature made Tue 15 Jan 2019 02:52:41 AM EST using RSA key ID 7B630999
gpgv: Good signature from "Palo Alto Networks, MineMeld Team [email protected]"
gpgv: aka "[invalid image]"

2020-06-02 16:01:19,402 INFO:0.9.11 No package to deploy, exit**

Thanks,
Eddie

EOM

Hello Team,

I have set up few IP miners and then processing through a inbound aggregator and then giving it to Logstash output,

Names have been customised as I have cloned the aggregator and output from existing prototypes.

I am not seeing any indicators in DARP-output [stdlib.localLogStash] . is it normal ? and can some one help me with logstash configuration for getting these indicators into a file.

i tried this but no success. dont know what i am missing. kind help is much appreciated.
#logstash configuration:
input {
tcp {
port => 5514
}
}

output {
file {
path =>/etc/logstash/minemeld-output.txt
}
}

According to the page, Ransomware Tracker has been discontinued on Dec 8th, 2019.

Please considering remove the miner.

Would be good to have a text or some for of list based data type so lists such as;
https://www.spamhaus.org/drop/asndrop.txt

Can be imported and parsed with regex such as;

(^.*)+(?=[\ ; ])...(..)+(?:.\|.)+(.*)

Place holder to build a prototype that pulls data from here

https://isc.sans.edu/api/threatlist/shodan/

For the purpose of creating "exclusion" ranges.

Prototypes should indicate the type of indicators produced inside the description, to facilitate config.

As taken from "https://github.com/botherder/targetedthreats" and in specific the amazing work by Nex @botherder from Amnesty International.

"Collection of IOCs related to targeting of civil society."

Proposed file to parse: https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv

There is no URL in the ETOPen.blockIPs prototype.

Prisma credentials not configured properly. Please reinstall and complete the configuration.

The feeds you have in bambenek.yml require a commercial license (and authentication) for commercial use. Is it possible to update the config to allow for entering of credentials for paid users?

Enhancement request - Would it possible for you to include MD5 to the stdlib taxii output node?
That would be very useful.

Hi,
I try to get an IP and url-list out of minemeld with all IP ranges and URLs of all MS Teams realated targets.

The prototype included with minemeld says "dreprecated" and seemr really as such, since there aren't any feeds collected.

Somwhere I read MS Teams is integrated with the Office365 URLs/IPs and so I configured some new miners as described in

https://live.paloaltonetworks.com/t5/minemeld-articles/enable-access-to-office-365-with-minemeld-updated/ta-p/224148

Despite Office365 works like a charm, while everything else is still blocked for the usergroup in the rule, MS Teams does not work...
In the log I see the following IPs which are dropped and are NOT part of the generated IP List

13.107.246.10
51.105.249.223
40.90.137.125
(and some others)

Is there a way I can adapt the information in the link to get a complete MS-Teams URL/IP List working?

Thansk a lot!

4920441

OpenBL.org is no longer maintained (sad day) .
"Sorry to announce but due to time and financial constraints http://OpenBL.org will stop updating end of April and shutdown end of May." - https://twitter.com/sshblorg?lang=en

So this prototype should be removed,

EOM

I am trying to parse IP's from Okta and am getting the following errors.

2018-10-08T19:10:20 (28038)basepoller._polling_loop ERROR: Okta-Test - Exception parsing ip_ranges
Traceback (most recent call last):
File "/opt/minemeld/engine/0.9.48.post1/local/lib/python2.7/site-packages/minemeld/ft/basepoller.py", line 606, in _polling_loop
ipairs = process_item(item)
File "/opt/minemeld/engine/0.9.48.post1/local/lib/python2.7/site-packages/minemeld/ft/json.py", line 192, in _process_item
indicator = item[self.indicator]

My Prototype config file looks like the following.

age_out:
default: null
interval: 3600
sudden_death: true
attributes:
confidence: 100
share_level: green
type: IPv4
extractor: oktapreview_com_1
indicator: ip_ranges
url: https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json

Can anyone help as to what I am doing wrong?

It should be https://feodotracker.abuse.ch/blocklist/?download=domainblocklist

The prototype feodotracker.domainblocklist no longer function as the service https://feodotracker.abuse.ch/blocklist/?download=domainblocklist no longer seems to offer a domain service.

Prototype just imports garbage now;

<p>
<p>&copy;
<p><a
<p>As
<p>By
<p>Dridex
<p>Feodo
<p>I
<p>If
<p>In
<p>The
<script
<section
<span
<title>Feodo
<ul
<ul>

Is it possible to add custom parameters to a list of feeds?

The need is to create an upload list for honeypot that has this format:

honeypot-ip | feed
10.10.0.90 feed.xyz
10.10.0.90 malware.xxx
10.10.0.90 abcdf.yyy
...

Is there already an output parameter that allows you to do this?

Add support for O365 Teams product in the O365 prototypes: https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Customizing-Prototypes-in-Office365/m-p/157630#M1086

Ceased operations.

Could be cool have support for:

https://iocfeed.mrlooquer.com/

Miners requiring a 3rd party subscription should explicitly indicate that inside the description field.

Hello community,

I am struggling to get a prototype for https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes working.

Docs: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-overview/retrieve-ip-addresses-for-prisma-access

My config:
age_out:
default: null
interval: 257
sudden_death: true
attributes:
confidence: 100
share_level: green
type: IPv4
extractor: '*[].addrList[].{indicator:@}'
fields:

• indicator
  headers:
• header-api-key:XXXXXXXXXXXXXX
  indicator: indicator
  prefix: gpc
  source_name: ipv4.GPC
  url: https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes
  verify_cert: false

Is not working, all I get in return is a: : 'list' object has no attribute 'items'.

Any help is appreciated.

Is your feature request related to a problem?

MSFT is suggesting do split tunneling based on new categories: Optimize, Allow, Default from their URLs REST Service.

Describe the solution you'd like

Minemeld also detect and parse new parameters/columns, and update EDLs also based on these categories,

Describe alternatives you've considered

For COVID-19 crises, MSFT is keeping same address, so we parsing manually, according to this documentation: https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta-p/319669

Additional context

Ref.:
https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta-p/319669
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

As per https://torstatus.blutmagie.de;
Attention: This Tor Network Status site will be discontinued 11/06/2018, [email protected]

This site will no longer function after 6th November. Suggest migrating to using the torproject exit node list https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1