Redis Support with Meer and Sagan

[WRF]

I have compiled both Sagan and Meer with Redis support. I have downloaded the most up-to-date User Guide for these two services. I cannot find details pertaining to the proper configuration of Meer for Sagan and the 'redis' section in meer.yaml. Specifically, I am uncertain as to the configuration of the 'key' option. By default, it shows 'key: "suricata"'. I have substituted the default setting with 'key: "sagan"'.

[Champ Clark III]

The "key" is the name of the Redis "key" (name of the variable/channel) that will be used. In Meer, we mimic the Redis input/output that Suricata uses. For Sagan, Redis is used for storage of xbits. This is used to share data between Sagan instances.

The latest documentation is at https://meer.readthedocs.io and https://sagan.readthedocs.io. Both do need updates on the Redis functionality. I'll get to that as time permits.

--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/73fb1f5c-55ec-4ae1-9225-ea27d24f7aa4%40googlegroups.com.

[Wilmer Rivera-Fantauzzi]

I am certain that I have configured sagan.yaml for Redis use properly. My confusion is with meer.yaml and the Redis config section in it. Since I have no reference, I cannot ascertain whether or not I have it set up accordingly for Redis use specifically. Because I'm using Sagan and not Suricata, how should 'key: ""' read; should it stay as per default 'suricata' even though I'm using Sagan? Or should it be something else entirely. I currently have it setup as 'key:  "sagan"'. What am I doing wrong? I also verified redis.conf and that did not help. 

BTW, it's Petty cool to have this opportunity to ask Mr. Clark III all this directly for a response. I have to admit that I'm a bit star-struck. I have enjoyed using Sagan since first installing SmoothSec Linux and Security Onion, several years back. I am working on this most recent project from Kali Linux on a Raspberry Pi 4. Integrating Meer as a Unified2 and Barnyard replacement has been rewarding. Thanks for your continued assistance.

I did not know that the Meer files not enabling and the Sagan blacklist incident was an anomaly. I will post all future issues as suggested.

Respectfully,

Wilmer Rivera-Fantauzzi 

conce...@gmail.com 

727.495.1080

On Thursday, April 16, 2020, Champ Clark III <ccl...@quadrantsec.com> wrote:

The "key" is the name of the Redis "key" (name of the variable/channel) that will be used.   In Meer,  we mimic the Redis input/output that Suricata uses.   For Sagan,  Redis is used for storage of xbits.   This is used to share data between Sagan instances.   

The latest documentation is at https://meer.readthedocs.io and https://sagan.readthedocs.io.   Both do need updates on the Redis functionality.  I'll get to that as time permits.



----- Original Message -----
From: "WRF" <conce...@gmail.com>
To: "sagan-users" <sagan...@googlegroups.com>
Sent: Thursday, April 16, 2020 4:46:46 PM
Subject: [sagan-users] Redis Support with Meer and Sagan

I have compiled both Sagan and Meer with Redis support. I have downloaded the most up-to-date User Guide for these two services. I cannot find details pertaining to the proper configuration of Meer for Sagan and the 'redis' section in meer.yaml. Specifically, I am uncertain as to the configuration of the 'key' option. By default, it shows 'key: "suricata"'. I have substituted the default setting with 'key: "sagan"'.

--
You received this message because you are subscribed to the Google Groups "sagan-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/73fb1f5c-55ec-4ae1-9225-ea27d24f7aa4%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "sagan-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/587275736.34224605.1587076924860.JavaMail.zimbra%40quadrantsec.com.

[Wilmer Rivera-Fantauzzi]

After reading your responses with less distractions, I realized what Meer and meer.yaml referred to as key for Redis.I kept thinking of this 'key' as something akin to a key used with OpenSSH. I was previously working with ED25519 and could not get the key to use 512 bits. So, I replaced it with a 15360 bit RSA key. Sometimes, the nomenclature gets confusing. I forgot that Redis is a key-value database (key-value store), using this method for the storage of data. And strings are its data type which are used as key-value entries to save or fetch information with Redis SET and GET commands. Again, your explanation was quite informative after delving further into its context. 

All my queries have been answered. Thank you for all your help.

[Da Beave]

Sagan uses Redis to store 'xbits'.   That about all it does right now.

Meer uses Redis to store data similar to how Suricata does.  This way,  we can take the load off Suricata and push that over to Meer.   From the meer.yaml config:

--<snip>--

key: "suricata"       # Default 'channel' to use.  If none is specified, the 

                             # channel name will become the "event_type"  type 

                             # (ie - alert, # dhcp, dns, flow, etc). If set, Meer

                             # will send data to Redis similar to Suricata. 

--<snip>-- 

If the key is "set" (in this case,  "suricata") it will rpush/lpush/publish (whatever) the JSON entries with the key a "suricata" as part of it's name.   If this option is commented out,  then the "key" will take on the name of the object.  So,  if Meer is storing a "dns" record,  the key will be "dns".  If the record is a http record,  the key will be "http". 

Hopefully this helps.