5. Database/File Configuration & Rights¶
5.1. Directories and rights¶
Meer keeps track of its actions in the meer.log and its position in the Sagan or Suricata EVE output file
through a “waldo” file. This means that Meer will need an area to record data to. The default location of these
files is in the /var/log/meer directory. You will need to create and assign this directory the proper rights.
Making directories & assigning rights:
sudo mkdir /var/log/meer
sudo chown suricata /var/log/meer # Chown to 'sagan' if using with Sagan!
You will need to adjust your meer.yaml rights in the runas option to match your permissions.
5.2. Setting up a new database¶
If you do not have a database already configured to receive alerts, the instructions below will help
you get started. First, you will need to create a database. For the purpose of this document
the target database will be known as example_database. Database schemas are stored in the meer/sql directory.
Creating the example_database with MySQL/MariaDB:
mysqladmin -u root -p create example_database
mysql -u root -p example_database < sql/create_mysql
When using PostgreSQL, use the meer/sql/create_postgresql schema file.
5.3. Using an old database¶
If you have a legacy database that you wish to convert, do the following with MySQL/MariaDB:
mysql -u root -p example_database < sql/extend_mysql
This will create new tables (https, flows, dns, etc).
5.4. Setting database rights¶
It is important to setup the proper rights when using Meer. Meer needs only INSERT and SELECT on all tables.
It will need INSERT, SELECT and UPDATE on the example_database.sensor table.
With MySQL/MariaDB:
GRANT INSERT,SELECT ON example_database.* to myusername@127.0.0.1 identified by 'mypassword`;
GRANT INSERT,SELECT,UPDATE,INSERT ON example_database.sensor to myusername@127.0.0.1 identified by 'mypassword';
6. Meer ‘core’ configuration:¶
Meers operations are mainly controlled by the meer.yaml file. The configuration file is split into two sections. The meer-core controls how Meer processes incoming data from EVE files. The output-plugins controls how data extracted from the EVE files is transported to a database backend.
6.1. ‘meer-core’ example¶
meer-core:
core:
hostname: "mysensor" # Unique name for this sensor (no spaces)
interface: "eth0" # Can be anything. Sagan "syslog", suricata "eth0".
runas: "suricata" # User to "drop privileges" too.
#runas: "sagan"
classification: "/etc/suricata/classification.config"
#classification: "/usr/local/etc/sagan-rules/classification.config"
meer_log: "/var/log/meer/meer.log" # Meer log file
# Meer can decode various types of data from within an "alert". This
# section enabled/disabled various JSON decoders.
metadata: enabled
flow: enabled
http: enabled
tls: enabled
ssh: enabled
smtp: enabled
email: enabled
json: enabled # Original JSON from EVE
# This enables the "fingerprint" option. When used in conjunction with the
# "fingerprint.rules" (https://github.com/quadrantsec/fingerprint-rules),
# this will record things like operating system type, type of system it is
# (client/server), etc. This data get routed differently and does not
# generate "alerts".
fingerprint: enabled
fingerprint_log: "/tmp/fingerprint.eve"
# "client_stats" are specific to Sagan and allow Sagan/Meer to record
# informatin about systems sending Sagan data. This has no affect on
# Suricata.
client_stats: disabled
# If "dns" is enabled, Meer will do reverse DNS (PTR) lookups of an IP.
# The "dns_cache" is the amount of time Meer should "cache" a PTR record.
# The DNS cache prevents Meer from doing repeated lookups of an
# already looked-up PTR record. This reduces over-loading DNS servers.
dns: enabled
dns_cache: 900 # Time in seconds.
# "health" checks are a set of signatures that are triggered every so
# often to ensure a sensor is up and operational. When these events
# are triggered, they are not stored into the database as normal alert
# data. For example, with MySQL/MariaDB output enabled, they update the
# "sensor.health" table with the current epoch time. Think of these
# events like a "ping" for your sensor. This can be useful for detecting
# when Meer, Suricata, or Sagan have "died" unexpectedly.
health: enabled
health_signatures: 20000001,20000002,20000003,20000004
waldo_file: "/var/log/meer/meer.waldo" # Where to store the last
# position in the
# "follow-eve" file.
lock_file: "/var/log/meer/meer.lck" # To prevent dueling processes.
follow_eve: "/var/log/suricata/alert.json" # The Suricata/Sagan file to monitor
#follow_eve: "/var/log/sagan/alert.json
6.2. ‘meer-core’ options¶
Below describes the options in the meer-core section of the meer.yaml.
6.2.1. hostname¶
- This is stored in the database in the
sensortable under thehostnamecolumn. - The
interfaceis appended to thehostname. This option is required.
6.2.2. interface¶
The interface is stored in the sensor table appended to the hostname and
interface columns. This describes in what interface the data was collected. This can
be any descriptive string. For example, “eth0”, “syslog”, etc. This option is required.
6.2.3. runas¶
This is the user name the Meer process should “drop privileges” to. You will likely
want to run Meer as the same user name that is collecting information. For example,
“sagan” or “suricata”. The runas can protect your system from security flaws in
Meer. Do not run as “root”. This option is required.
6.2.4. classification¶
The classification option tells Meer where to find classification types. This file
typically ships with Sagan, Suricata, and Snort rules. It defines a ‘classtype’ (for
example, “attempt-recon”) and assigns a numeric priority to the event. This option is
required.
6.2.5. meer_log¶
The meer_log is the location of the file for Meer to record errors and statistics
to. The file will need to be writable by the same user specified in the runas
option.
6.2.6. metadata¶
The metadata option tells Meer to decode “metadata” from Suricata or Sagan. If
the “metadata” is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.7. flow¶
The flow option tells Meer to decode “flow” data from Suricata or Sagan. If
the “flow” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.8. http¶
The http option tells Meer to decode “http” data from Suricata or Sagan. If
the “http” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.9. tls¶
The tls option tells Meer to decode “tls” data from Suricata or Sagan. If
the “tls” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.10. ssh¶
The ssh option tells Meer to decode “ssh” data from Suricata or Sagan. If
the “ssh” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.11. smtp¶
The smtp option tells Meer to decode “smtp” data from Suricata or Sagan. If
the “smtp” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use.
6.2.12. email¶
The email option tells Meer to decode “email” data from Suricata or Sagan. If
the “email” JSON is present in the alert, Meer will decode it and store its contents
in memory for later use. This is not to be confused with smtp. The data from
email will contain information like e-mail file attachments, carbon copies, etc.
6.2.13. json¶
The json option tells Meer to store the original JSON/EVE event. This is the
raw event that Meer has read in.
6.2.14. fingerprint¶
The fingerprint option tells Meer to decode “fingerprint” rules and route the
data differently. Fingerprint rules do not work like normal rules. The data from
these rules is used to passively fingerprint systems for operating systems and types
(client/server). This information can be valuable to determine if an attack might have
been successful or not. Fingerprint rules are located at https://github.com/quadrantsec/fingerprint-rules.
6.2.15. fingerprint_log¶
When fingerprint rules fire, this is the log file that is create and data sent to. This log file format is an JSON (EVE) log file and is meant to be routed to a Elasticsearch back end. The idea is to store this information for historical purposes.
6.2.16. dns¶
The dns option tells Meer to perform a DNS PTR (reverse) record lookup of the
IP addresses involved in an alert. This option is useful because it records the
DNS record at the time the event occurred.
6.2.17. dns_cache¶
When dns is enabled, Meer will internally cache records to avoid repetitive
lookups. For example, if 1000 alerts come in from a single IP address, Meer
will look up the DNS PTR record one time and use the cache for the other 999
times. This saves on lookup time and extra stress on the internal DNS server. If you
do not want Meer to cache DNS data, simply set this option to 0. The dns_cache
time is in seconds.
6.2.18. health¶
The health option is a set of signatures used to monitor the health of Meer and
your Sagan or Suricata instances. When enabled, Meer will treat certain Sagan and
Suricata signatures as “health” indicators rather than normal alerts. When a
“health” signature occurs, Meer updates the sensor table health column
with the epoch time the health signature triggered. This can be useful in quickly
determining if a sensor is down or behind (back logged) on alerts.
6.2.19. health_signatures¶
When health is enabled, this option supplies a list of signature IDs (sid) to
Meer of Suricata or Sagan “health” signatures.
6.2.20. waldo_file¶
The waldo_file is a file that Meer uses to keep track of its last location within
a EVE/JSON file. This keeps Meer from re-reading data in between stop/starts. This
option is required.
6.2.21. lock_file¶
The lock_file is used to help avoid multiple Meer processes from processing the
same data. The lock_file should be unique per Meer instance. The lock file contains
the process ID (PID) of instance of Meer. This option is required.
6.2.22. follow_eve¶
The follow_eve option informs Meer what file to “follow” or “monitor” for new
alerts. You will want to point this to your Sagan or Suricata “alert” EVE output file.
You can think of Meer “monitoring” this file similar to how “tail -f” operates.
This option is required.
7. Output Plugins¶
7.1. SQL output-plugins example¶
Below is an example of the “output-plugins” from the meer.yaml. This section controls
the SQL output.
output-plugins:
# MySQL/MariaDB output - Stores data from Suricata or Sagan into a semi-
# traditional "Barnyard2/Snort"-like database.
sql:
enabled: yes
driver: mysql # "mysql" or "postgresql"
port: 3306 # Change to 5432 for PostgreSQL
debug: no
server: 127.0.0.1
port: 3306
username: "XXXX"
password: "XXXXXX"
database: "snort_test"
# Automatically reconnect to the database when disconnected.
reconnect: enabled
reconnect_time: 10
# Store decoded JSON data that is similar to Unified2 "extra" data to the
# "extra" table.
extra_data: enabled
# Store extra decoded JSON metadata from Suricata or Sagan. This requires
# your database to have the metadata, flow, http, etc. tables. If all are
# disabled, Meer will store data in strictly a Barnyard2/Snort method.
# If you want to store this decoded information, and you likely do, make
# sure you have the decoders enabled in the "core" section of this Meer
# configuration file!
metadata: enabled
flow: enabled
http: enabled
tls: enabled
ssh: enabled
smtp: enabled
email: enabled
json: enabled
# If you would like Meer to mimic the legacy "reference" tables from
# Snort/Barnyard2, enable it here. If you are using more than one database
# to store Suricata or Sagan data, you will likely want to leave this
# disabled. The legacy reference system is not very efficient and there are
# better ways to keep track of this data. This is also a memory hog and
# performance killer. See tools/reference_handler/reference_handler.pl to
# build a centralized reference table.
reference_system: disabled
sid_file: "/etc/suricata/rules/sid-msg.map" # Created with "create-sidmap"
reference: "/etc/suricata/reference.config"
#sid_file: "/usr/local/etc/sagan-rules/sagan-sid-msg.map"
#reference: "/usr/local/etc/sagan-rules/reference.config"
7.1.1. enabled¶
When this option is set to yes or no, it enables or disables the SQL section of
the Meer output plugin.
7.1.2. driver¶
This controls what SQL database driver Meer will use. Valid types are mysql (for both
MySQL and MariaDB) and postgresql.
7.1.3. port¶
The port the target SQL server is listening on.
7.1.4. server¶
The IP address of the SQL server.
7.1.5. debug¶
When debug is enabled, Meer will display SQL statements and transactions to stdout and to the
meer_log. This can be useful for debugging SQL errors and issues. By default, this is disabled.
7.1.6. username¶
The username to use during authentication with the SQL database.
7.1.7. password¶
The password to use during authentication with the SQL database.
7.1.8. reconnect¶
If Meer encounters an issue with connecting to the SQL database, if this
option is enabled, Meer will continually try to reconnect until it is
successful.
7.1.9. reconnect_time¶
This is how long to pause, in seconds, before attempting to reconnect to the
SQL database if the reconnect option is enabled.
7.1.10. extra_data¶
When the extra_data option is enabled, Meer will record certain information
(XFF, DNS data, SMTP data, etc) in the legacy extra table.
7.1.11. metadata¶
This option controls Meer’s ability to record decoded alert metadata to the metadata
SQL table. If “metadata” is detected within the EVE/JSON and the metadata
decoder is enabled (controlled in the meer-core), then it will be recorded
to the metadata SQL table.
7.1.12. flow¶
This option controls Meer’s ability to record decoded alert flow to the flow
SQL table. If “flow” is detected within the EVE/JSON and the flow
decoder is enabled (controlled in the meer-core), then it will be recorded
to the flow SQL table.
7.1.13. http¶
This option controls Meer’s ability to record decoded alert http to the http
SQL table. If “http” is detected within the EVE/JSON and the http
decoder is enabled (controlled in the meer-core), then it will be recorded
to the http SQL table.
7.1.14. tls¶
This option controls Meer’s ability to record decoded alert tls to the tls
SQL table. If “tls” is detected within the EVE/JSON and the tls
decoder is enabled (controlled in the meer-core), then it will be recorded
to the tls SQL table.
7.1.15. ssh¶
This option controls Meer’s ability to record decoded alert ssh to the ssh
SQL table. If “ssh” is detected within the EVE/JSON and the ssh
decoder is enabled (controlled in the meer-core), then it will be recorded
to the ssh-client``and ``ssh-server SQL tables.
smtp ~~~
This option controls Meer’s ability to record decoded alert smtp to the smtp
SQL table. If “smtp” is detected within the EVE/JSON and the smtp
decoder is enabled (controlled in the meer-core), then it will be recorded
to the smtp SQL table.
7.1.16. email¶
This option controls Meer’s ability to record decoded alert email to the email
SQL table. If “email” is detected within the EVE/JSON and the email
decoder is enabled (controlled in the meer-core), then it will be recorded
to the email SQL tables. This is not to be confused with the smtp table.
7.1.17. reference_system¶
The reference_system allows Meer to store alert reference data in a traditional
“Barnyard2” format. If you are using a single database for all events, this
option might be useful to you. If you are using UIs like Snorby, Squeel, etc.
you will likely want to enable this option. If you are using multiple databases,
then consider looking at the “reference_handler.pl” script that ships with Meer.
7.1.18. sid_file¶
The sid_file is a legacy “signature message map” file that points signature
IDs to their references. If you want to use the legacy reference_system,
you will need a “signature message map” (sid_file) for Meer to read.
7.2. “pipe” output¶
Below is an example of the “pipe” output plugin. This takes data being written to the EVE file and puts it into a named pipe (FIFO). This can be useful if you want a third party program (for example, Sagan - https://sagan.io) to analyze the data.
pipe:
enabled: no
pipe_location: /var/sagan/fifo/sagan.fifo
pipe_size: 1048576 # System must support F_GETPIPE_SZ/F_SETPIPE_SZ
metadata: enabled
# Below are the "event_types" from Suricata/Sagan. This tells Meer what to send
# to the named pipe/FIFO.
alert: enabled
files: enabled
flow: enabled
dns: enabled
http: enabled
tls: enabled
ssh: enabled
smtp: enabled
fileinfo: enabled
dhcp: enabled
7.2.1. enabled¶
Enabled/disabled the ‘pipe’ output.
7.2.2. pipe_location¶
Location of the named pipe on the file system.
7.2.3. pipe_size¶
Number of bytes will set the size of the named pipe/FIFO to.
7.2.4. metadata¶
This option controls Meer’s ability to record decoded alert metadata to the named pipe.
If “metadata” is detected within the EVE/JSON and the metadata
decoder is enabled (controlled in the meer-core), then it will be recorded to the named
pipe.
7.2.5. flow¶
This option controls Meer’s ability to record decoded alert flow to named pipe.
If “flow” is detected within the EVE/JSON and the flow
decoder is enabled (controlled in the meer-core), then it will be recorded to the
named pipe.
7.2.6. http¶
This option controls Meer’s ability to record decoded alert http to the named pipe.
If “http” is detected within the EVE/JSON and the http
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
7.2.7. tls¶
This option controls Meer’s ability to record decoded alert tls to the named pipe.
If “tls” is detected within the EVE/JSON and the tls
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
7.2.8. ssh¶
This option controls Meer’s ability to record decoded alert ssh to the named pipe.
If “ssh” is detected within the EVE/JSON and the ssh
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
smtp ~~~
This option controls Meer’s ability to record decoded alert smtp to the named pipe.
If “smtp” is detected within the EVE/JSON and the smtp
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
7.2.9. email¶
This option controls Meer’s ability to record decoded alert email to the named pipe.
If “email” is detected within the EVE/JSON and the email
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe. This is not to be confused with the smtp table.
7.2.10. fileinfo¶
This option controls Meer’s ability to record decoded alert fileinfo to the named pipe.
If “fileinfo” is detected within the EVE/JSON and the fileinfo
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
7.2.11. dhcp¶
This option controls Meer’s ability to record decoded alert dhcp to the named pipe.
If “dhcp” is detected within the EVE/JSON and the dhcp
decoder is enabled (controlled in the meer-core), then it will be recorded
to the named pipe.
7.3. “external” output¶
This option allows signatures to call “external” programs. For example, if a signature the
proper “metadata” (metadata: meer external or a set policy), Meer will fork a copy
of the specified program and pass the EVE via stdin. This feature can be useful for creating
custom firewalling routines or routing data to alternate programs. The “external” program
can be written in any language that suites you.
###########################################################################
# external
#
# EVE data (JSON) is passed via stdin to the external program. The
# external program can be written in any language you choose (shell script,
# Python, Perl, etc).
#
# This can be useful for automatic firewalling, building block lists,
# replicating "snortsam" functionality, etc. See the "tools/external"
# directory for example routines that use this feature.
#
# If this option is enabled, any rule that has the metadata of "meer
# external" (ie - "metadata:meer external") will cause the external script
# to be executed. Execution can also be controlled by Snort metadata
# "policies".
###########################################################################
external:
enabled: no
debug: no
# Execution of an external program based on metadata "policy". When Meer
# encounters a "policy" (security-ips, balanced-ips, connectivity-ips,
# and max-detect-ips), Meer will execute the specified routine.
# Currently only Snort rules have these types of polices. This can be
# useful when you want to execute an external script that will to "block"
# or "firewall" based off the policy types. This section only applies if
# you are using Suricata with Snort rules. Snort's polices are
# below:
# connectivity-ips - You run a lot of real time applications (VOIP,
# financial transactions, etc), and don't want to run any rules that
# could affect the current performance of your sensor. The rules in this
# category make snort happy, additionally this category focuses on the high
# profile most likely to affect the largest number of people type of
# vulnerabilities.
# balanced-ips - You are normal, you run normal stuff and you want normal
# security protections. This is the best policy to start from if you are
# new, old, or just plain average. If you don't have any special
# requirements for super high speeds or super secure networks start here.
# security-ips - You don't care about dropping your bosses email, everything
# in your environment is tightly regulated and you don't tolerate people
# stepping outside of your security policy. This policy hates on IM, P2P,
# vulnerabilities, malware, web apps that cause productivity loss, remote
# access, and just about anything not related to getting work done.
# If you run your network with an iron fist start here.
# I can't seem to find any documentation on what "max-detect-ips" is :(
policy-security-ips: enabled
policy-max-detect-ips: enabled
policy-connectivity-ips: enabled
policy-balanced-ips: enabled
program: "/usr/local/bin/external_program"
7.3.1. enabled¶
Keyword is used to enable/disable external output.
7.3.2. debug¶
When enabled, this option will display and log debugging information.
7.3.3. policy-security-ips¶
Execute external program when the policy-security-ips is encountered.
7.3.4. policy-max-detect-ips¶
Execute external program when the policy-max-detect-ips is encountered.
7.3.5. policy-connectivity-ips¶
Execute external program when the policy-connectivity-ips is encountered.
7.3.6. policy-balanced-ips¶
Execute external program when the policy-balanced-ips is encountered.
7.3.7. program¶
external program to execute when conditions are met.
7.4. Redis output¶
This controls how Meer logs to a Redis database. Meer can record alert records to
Redis similar to how Suricata with Redis support enabled does. Redis is also used
as a temporary storage engine for client_stats (Sagan only) and fingerprint
data if enabled.
###########################################################################
# "redis" allows you to send Suricata/Sagan EVE data to a Redis database.
# This will mimic the way Suricata writes EVE data to Redis with the
# exception of "client_stats" which is a Sagan specific processor.
###########################################################################
redis:
enabled: no
debug: no
server: 127.0.0.1
port: 6379
batch: 10 # Batch/pipelining mode. Max is 100. 1 == no batching.
key: "suricata" # Default 'key' or 'channel' to use.
mode: list # How to publish data to Redis. Valid types are list/lpush,
# rpush, channel|publish.
# This controls event_types to send to Redis.
alert: enabled
files: enabled
flow: enabled
dns: enabled
http: enabled
tls: enabled
ssh: enabled
smtp: enabled
fileinfo: enabled
dhcp: enabled
# Fingerprint data can be temporarily stored in a Redis database. When an alert
# fires, this information can be used to determine the targets operating system,
# type (client/server), etc. This can be useful in determining the validity of
# an event. If used in conjunction with the SQL output, the fingerprint data for
# the targeted system is stored in the 'fingerprint' table.
fingerprint: enabled
# This controls sending Sagan client tracking data to Redis. This has no affect
# on Suricata systems.
client_stats: disabled
7.4.1. enabled¶
Enable or disable the Redis output.
7.4.2. debug¶
Enable or disabled Redis debugging.
7.4.3. server¶
The Redis server address you want to store data to.
7.4.4. port¶
Port of the target Redis server.
7.4.5. batch¶
The batch is the amount of data to collect before sending it to Redis. This has no
affect when using Redis with either client_stats or fingerprint data.
7.4.6. key¶
The key is the default Redis channel or key to use.
7.4.7. mode¶
The mode controls how data is stored to Redis. Valid options are list, lpush,
rpush, channel or publish. The default is list. The method Meer stores the
data is compatible with Suricata’s Redis output format. Note; This option does not have any
affect on client_stats or fingerprint recording.
7.4.8. alert¶
Enable or disable storing alert data into Redis.
7.4.9. files¶
Enable or disable storing files data into Redis.
7.4.10. flow¶
Enable or disable storing flow data into Redis.
7.4.11. dns¶
Enable or disable storing dns data into Redis.
7.4.12. http¶
Enable or disable storing http data into Redis.
7.4.13. tls¶
Enable or disable storing tls data into Redis.
7.4.14. ssh¶
Enable or disable storing ssh data into Redis.
7.4.15. smtp¶
Enable or disable storing smtp data into Redis.
7.4.16. fileinfo¶
Enable or disable storing fileinfo data into Redis.
7.4.17. dhcp¶
Enable or disable storing dhcp data into Redis.
7.4.18. fingerprint¶
Enable or disable storing fingerprint data in the Redis database. This is a temporary
storage system for fingerprint data. This allows correlation between device fingerprints
(ie - operating systems, devices types, etc) with alerts.
7.4.19. client_stats¶
This is a Sagan only option. This option temporarily stores devices that are sending Sagan logs along with an example log entry. This has no affect with Suricata.