[Oisf-users] Fwsam Functionality

Eric Leblond eric at regit.org
Mon Jul 15 19:32:41 UTC 2019 

Hello,

On Mon, 2019-07-15 at 14:32 -0400, Champ Clark III wrote:
> > I've not aware of any attempts to port fwsam to another tool. Maybe
> > it's
> > something for your 'meer' tool?
> 
> Hello Victor, 
> 
> I 100% agree.  This isn't something that needs to be in
> Suricata.  Snortsam is pretty old and not actively maintained. 
> 
> Here's what I choose to do. 
> 
> Rather than making a Snortsam plugin,  we've made a "external" plugin
> for Meer.  This allows Meer to execute a command when a signature is
> hit.  While its a bit more expensive to call execl() in Meer, it
> allows the user to not only call the "snortsam" command line tool,
> but execute Perl/Python/iptables/mysql/whatever scripts.  
> 
> Meer hands the "external" program the Suricata EVE data.  It's up to
> the user to decode that and do whatever action they want.
> 
> One issue we ran into was telling Meer "what" signatures we want to
> execute the external program on.  At first,  we thought we might be
> able to use the rules "action" (alert/drop/reject/etc).  However,  it
> appears that when Suricata is not in an inline IPS mode and a rule is
> set to "drop" the EVE action still reports "allowed".  Even if that
> had worked,  this solution would not have indicated what (ip_src,
> ip_dest) to drop? 

This can be solved by using the target keyword that indicate which side
is the bad side. Rules writers seems not to have picked it (bad rules
writers) and that is a shame. Yes, please use this, it is trivial when
writing rules !

> To get around this,  we have Meer look into the rules "msg" field for
> a drop indicator.  For rules we want Meer to drop (execute an
> "external" progam on),  we add to the "msg" field the word
> "FIREWALL".   This accomplishes two things.   It informs the user
> that the rule should have been "firewalled" via Meer.   This was
> something that was annoying about Snortsam.  There was no
> indication,  other than manually looking at the rule,  that the rule
> had Snortsam keywords or not. 

Scirius is using a algorithm based on metadata and EXTERNAL_NET (bad
people outside) and HOME_NET usage in the signature to guess the
target. And then it applies a transformation to set target dynamically.
It is not perfect but give correct results.

> Secondly, by making the "msg" field "FIREWALL SRC" or "FIREWALL
> DST",  we can have the external program called by Meer direct what
> direction to firewall.
> 
> I think this is a much better solution then supporting Snortsam.  I'm
> still working on some example scripts and will hopefully have it
> pushed to the Meer repo today or tomorrow. 
> 
> This was the best way to deal with this situation that I came up
> with.  I would love to hear anyone elses ideas/thoughts on the
> matter.
> 
> Thank you!
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list