Scribd Logo
Upload

Welcome to Scribd!

  • Miner Node Minemeld

    Uploaded by

    Tanveer Akhtar
    25 views6 pages
    The Miner Node contacts external entities to fetch threat indicators such as IPs, malware hashes, and domains. It retrieves this threat data through URLs or APIs. The Processor Node aggregates the indicators from multiple Miners, removes redundant data, and merges metadata to create consistent indicators. The Output Node receives the processed indicators and distributes them to subscribers like firewalls in a format they can understand and use. To create a Miner Node, a prototype is first made and then cloned to generate the Miner, which is linked to a Processor Node to pass indicators for further processing before distribution.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The Miner Node contacts external entities to fetch threat indicators such as IPs, malware hashes, and domains. It retrieves this threat data through URLs or APIs. The Processor Node aggregates the indicators from multiple Miners, removes redundant data, and merges metadata to create consistent indicators. The Output Node receives the processed indicators and distributes them to subscribers like firewalls in a format they can understand and use. To create a Miner Node, a prototype is first made and then cloned to generate the Miner, which is linked to a Processor Node to pass indicators for further processing before distribution.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views6 pages

    Miner Node Minemeld

    Uploaded by

    Tanveer Akhtar
    The Miner Node contacts external entities to fetch threat indicators such as IPs, malware hashes, and domains. It retrieves this threat data through URLs or APIs. The Processor Node aggregates the indicators from multiple Miners, removes redundant data, and merges metadata to create consistent indicators. The Output Node receives the processed indicators and distributes them to subscribers like firewalls in a format they can understand and use. To create a Miner Node, a prototype is first made and then cloned to generate the Miner, which is linked to a Processor Node to pass indicators for further processing before distribution.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Miner Node and its functionality

    There are three most important components of Minemeld, referred to as node.


    1. Input (Miner)
    Miner Node contacts with the external entity for threat Indictors. Threat Indicator may
    include bad IPs, Malware hashes, bad domains, malicious code etc. It can fetch
    threat feed by using URL or API. Threat Indicators can also be uploaded from a local
    PC.
    2. Processor (Aggregator)
    Problems with Threat Data Feed:
    - May contain errors
    - Redundancy in data when received from multiple external entities
    - False positive
    Processor Node solves the above cited issues. It receives indicators from Miners,
    aggregates them, eliminates redundancy, and merges different sets of metadata for
    the same indicator. For example, a common type of processor is one that receives
    only IPv4 indicators.
    3. Output Node
    It receives indicators from Processors, formats the indicators and allows MineMeld to
    dynamically send the indicators to its subscribers.

    Minemeld

    Threat Subscriber
    Miner Processor Output
    Intelligence Node Node Node (Firewall)
    Provider
    Basic Steps for the creation of Miner Node:
    1. Create prototype
    2. Create Miner and link it with the prototype created in step 1
    3. Link the Miner with the Processor Node (Aggregator)
    Step 1:
    First we need to create a prototype that will later be used in Minor node.
    Config → →Click any prototype of your choice → New →

    There are two important fields in the above figure: Class and Config.
    Class is predefined and it defines what type of processing is applied to the
    indicators. The parameters for this class are supplied by Config attributes.
    Class url:
    https://github.com/PaloAltoNetworks/minemeld-core/blob/master/minemeld/ft/http.py
    Step 2:
    New prototype created for use in Miner creation:

    -Press clone to create the corresponding Miner:


    Step 3.
    Now connect this Miner to Processor.

    -Press Commit to have this effect.


    The Minor Node is attached with the Processor Node. Now Threat Data Feed
    can pass from Miner to the processor and to the output node for the consumption by
    the subscriber.

    You might also like