MineMeld Support

MineMeld is an open source threat feed management system that gathers IP addresses, URLs, and domains which pose a significant network security threat. The threat feed sources can either be free, subscription-based or proprietary.  MineMeld re-scans the feeds at regular time intervals and continuously aggregates and updates the set of all threat indicators to be consumed by fierwalls, IDS/IPS, or any other security device.

MetaFlows now includes MineMeld public threat feeds to augment our existing intelligence sources. The public threat feeds amount to about 200,000 additional indicators updated every few hours. Users also have the ability to add site-specific (either subscription-based or private) MimeMeld sources.

IPv4 and URL/Domain indicators are treated differently.

IPv4 feeds

The default MineMeld IPv4 feeds processed by MetaFlows are below:

Source Current Number of Indicators
https://lists.blocklist.de/lists/all.txt 56953
https://feodotracker.abuse.ch/blocklist.php?download=badips 61
https://www.binarydefense.com/banlist.txt 4098
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt 459
https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt 2473
https://www.dshield.org/block.txt 20
http://malc0de.com/bl/IP_Blacklist.txt 105
http://www.malwaredomainlist.com/hostslist/ip.txt 1001
http://reputation.alienvault.com/reputation.data 70666
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt 315
https://www.spamhaus.org/drop/drop.txt 770
https://www.spamhaus.org/drop/edrop.txt 113
https://sslbl.abuse.ch/blacklist/sslipblacklist.csv 136

MineMeld IPv4 addresses are compiled in a set of IDS/IPS rules designed to alert or block communications to blacklisted addresses.  MetaFlows uses a proprietary technique to quickly look through this huge list of addresses (140,000+) and therefore does not require specialized hardware for hi-speed networks.

reputation ruleset


The MineMeld IPv4 feeds are in the mmreputation.rules configuration file that can be accessed through the existing IDS rule management UI. The feeds are  not activated by default but users can activate them in IDS or IPS mode with just a few clicks. If enabled, these rules can be very useful to detect and/or prevent communication to questionable hosts on the Internet.


All the IP addresses are reduced to approximately 40 separate signatures. Each signature corresponds to a specific feed source (for example blocklist_de) or intersections of sources where the IPv4 address is present in more than one source (for example blocklist_de_alienvault.reputation). This decomposition provides additional operational awareness that can be used to prioritize which set of IPs to alert on or block. Enabling or blocking individual signatures therefore affects  a dynamically changing set of potentially thousands of IPs updated every few hours that map to a single threat feed or the intersection of multiple threat feeds.

Users also have the option of adding site-specify MineMeld IPv4 feeds to enable additional commercial MineMeld subscriptions independently purchased or other proprietary feeds.

Entering the URL as shown above, will automatically add the custom MineMeld reputation feed into the customer’s configuration and the local rule corresponding to the feed can then be managed as the other public MineMeld feeds.

URL and Domain FeedS

The MineMeld domain and URL feeds processed by MetaFlows are below:

Source Current Number of Indicators
https://www.badips.com/get/list/any/3?age=2w 33593
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt 719
http://malc0de.com/bl/BOOT 111
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt 1903
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt 11567
https://ransomwaretracker.abuse.ch/downloads/TC_DS_URLBL.txt 271
https://urlhaus.abuse.ch/downloads/text/ 102880
http://vxvault.net/URL_List.php 101

These feeds are used to detect when:

  • A user issues an HTTP request to a URL or domain deemed to be malicious or
  • A user receives an email containing a malicious URL or link to a malicious domain whether or not the user clicks on the links.

When either of these two conditions occur, a high priority even is generated that can be used to block those specific communications.

There is also a an additional option to enable real time email notification. When bad emails are detected, users also get a warning email instructing them to discard the email.

MineMeld support will automatically be added next time your system self updates or if the sensor software is restarted.