[Oisf-users] Fwsam Functionality

Champ Clark III cclark at quadrantsec.com
Mon Jul 15 18:32:06 UTC 2019

> I've not aware of any attempts to port fwsam to another tool. Maybe it's
> something for your 'meer' tool?

Hello Victor, 

I 100% agree.  This isn't something that needs to be in Suricata.  Snortsam is pretty old and not actively maintained. 

Here's what I choose to do. 

Rather than making a Snortsam plugin,  we've made a "external" plugin for Meer.  This allows Meer to execute a command when a signature is hit.  While its a bit more expensive to call execl() in Meer, it allows the user to not only call the "snortsam" command line tool, but execute Perl/Python/iptables/mysql/whatever scripts.  

Meer hands the "external" program the Suricata EVE data.  It's up to the user to decode that and do whatever action they want.

One issue we ran into was telling Meer "what" signatures we want to execute the external program on.  At first,  we thought we might be able to use the rules "action" (alert/drop/reject/etc).  However,  it appears that when Suricata is not in an inline IPS mode and a rule is set to "drop" the EVE action still reports "allowed".  Even if that had worked,  this solution would not have indicated what (ip_src, ip_dest) to drop? 

To get around this,  we have Meer look into the rules "msg" field for a drop indicator.  For rules we want Meer to drop (execute an "external" progam on),  we add to the "msg" field the word "FIREWALL".   This accomplishes two things.   It informs the user that the rule should have been "firewalled" via Meer.   This was something that was annoying about Snortsam.  There was no indication,  other than manually looking at the rule,  that the rule had Snortsam keywords or not. 

Secondly, by making the "msg" field "FIREWALL SRC" or "FIREWALL DST",  we can have the external program called by Meer direct what direction to firewall.

I think this is a much better solution then supporting Snortsam.  I'm still working on some example scripts and will hopefully have it pushed to the Meer repo today or tomorrow. 

This was the best way to deal with this situation that I came up with.  I would love to hear anyone elses ideas/thoughts on the matter.

Thank you!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2128 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190715/f44c6019/attachment.bin>

More information about the Oisf-users mailing list