[Oisf-users] Fwsam Functionality

Champ Clark III cclark at quadrantsec.com
Fri Jul 19 03:54:42 UTC 2019

First off, thank you all for input. It has really helped! 

Here is what we are currently doing with the Meer based off the advice from the Suricata mailing list. 

We noticed that many rules already have metadata "policy" information in them. For example: 

metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; 

We decided to make Meer leverage this data at the users discretion. The idea here is when an IPS policy is encountered, the "external" program is executed. Here is the example meer.yaml for this: 


enabled: yes 
debug: no 
metadata-security-ips: enabled 
metadata-max-detect-ips: enabled 
program: "/path/to/my/program.py" 


The "metadata-security-ips" and "metadata-max-detect-ips" allow you to enabled/disabled execution of an external program when Meer detects these polices are set to "drop". If "enabled" and the policy is "drop", Meer will pass the program being executed a copy of the EVE log line via stdin. I've made a quick example "external" program in Perl. Obviously, you could use any programming language you want. Here is my example: 

[ https://github.com/beave/meer/blob/master/tools/external/external-program-http-get | https://github.com/beave/meer/blob/master/tools/external/external-program-http-get ] 

This is what Meer can do at it's current state. The next steps we've talked about is to build Meer specific "metadata" flags. I would love to get any input from the Suricata community about this. Here is what I've been thinking about: 

This would extend the functionality of the "external" Meer output module. 

metadata:meer filename:/path/to/my/program.py,meer args: --drop $src_ip; 

The EVE from the above looks like this: 

"metadata":{"meer":["args: --drop $src_ip","filename:\/path\/to\/my\/program.py"]}} 

The idea here would be that you could pass what program you want to execute along with command line arguments. The $src_ip and $dest_ip would be place holders for Meer to pass via the command line (args) the decoded source IP and destination IP. Other place holders ($signature_id, $signature, etc) would exist. 

For something like a future "email" output module, might be similar to: 

metadata:meer email:bob at example.com frank at example.com [ mailto:brian at quadrantsec.com; | ; ] 

The EVE output is: 

"metadata":{"meer":["email:bob at example.com [ mailto:brian at quadrantsec.com%22]%7D%7D | frank at example.com"]}} ] 

The idea would be to transparency control Meer through the Suricata metadata. I have not started working on the code for this yet and I would love to get any input. 

Thank you. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190718/d18bdee1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2128 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190718/d18bdee1/attachment.bin>

More information about the Oisf-users mailing list