<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">First off, thank you all for input. It has really helped!</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">Here is what we are currently doing with the Meer based off the advice from the Suricata mailing list.</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">We noticed that many rules already have metadata "policy" information in them. For example: </div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">metadata:policy max-detect-ips drop, policy security-ips drop, service smtp;<br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">We decided to make Meer leverage this data at the users discretion. The idea here is when an IPS policy is encountered, the "external" program is executed. Here is the example meer.yaml for this:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">--<snip>--</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><div data-marker="__QUOTED_TEXT__"> external:</div><div data-marker="__QUOTED_TEXT__"> </div><div data-marker="__QUOTED_TEXT__"> enabled: yes </div><div data-marker="__QUOTED_TEXT__"> debug: no </div><div data-marker="__QUOTED_TEXT__"> metadata-security-ips: enabled </div><div data-marker="__QUOTED_TEXT__"> metadata-max-detect-ips: enabled </div><div data-marker="__QUOTED_TEXT__"> program: "/path/to/my/program.py" </div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">-<snip>--</div></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">The "metadata-security-ips" and "metadata-max-detect-ips" allow you to enabled/disabled execution of an external program when Meer detects these polices are set to "drop". If "enabled" and the policy is "drop", Meer will pass the program being executed a copy of the EVE log line via stdin. I've made a quick example "external" program in Perl. Obviously, you could use any programming language you want. Here is my example:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><a href="https://github.com/beave/meer/blob/master/tools/external/external-program-http-get" data-mce-href="https://github.com/beave/meer/blob/master/tools/external/external-program-http-get">https://github.com/beave/meer/blob/master/tools/external/external-program-http-get</a></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">This is what Meer can do at it's current state. The next steps we've talked about is to build Meer specific "metadata" flags. I would love to get any input from the Suricata community about this. Here is what I've been thinking about:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">This would extend the functionality of the "external" Meer output module.</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><div data-marker="__QUOTED_TEXT__">metadata:meer filename:/path/to/my/program.py,meer args: --drop $src_ip;</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">The EVE from the above looks like this:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><div data-marker="__QUOTED_TEXT__">"metadata":{"meer":["args: --drop $src_ip","filename:\/path\/to\/my\/program.py"]}}</div></div></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">The idea here would be that you could pass what program you want to execute along with command line arguments. The $src_ip and $dest_ip would be place holders for Meer to pass via the command line (args) the decoded source IP and destination IP. Other place holders ($signature_id, $signature, etc) would exist. </div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">For something like a future "email" output module, might be similar to:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><div data-marker="__QUOTED_TEXT__">metadata:meer email:bob@example.com frank@example.com<a href="mailto:brian@quadrantsec.com;">;</a></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">The EVE output is:</div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__"><div data-marker="__QUOTED_TEXT__">"metadata":{"meer":["email:bob@example.com <a href="mailto:brian@quadrantsec.com"]}}">frank@example.com"]}}</a></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div><div data-marker="__QUOTED_TEXT__">The idea would be to transparency control Meer through the Suricata metadata. I have not started working on the code for this yet and I would love to get any input. </div><div data-marker="__QUOTED_TEXT__"><br>Thank you.</div><div data-marker="__QUOTED_TEXT__"><br></div></div></div><div data-marker="__QUOTED_TEXT__"><br data-mce-bogus="1"></div></div></body></html>