1
|
# Prelude Manager configuration file.
|
2
|
#
|
3
|
# <IMPORTANT>
|
4
|
#
|
5
|
# Sections are importants, and things won't work correctly if they are
|
6
|
# not un-commented. For example you need to uncomment [db] if you want
|
7
|
# the database plugin to be loaded.
|
8
|
#
|
9
|
# </IMPORTANT>
|
10
|
|
11
|
|
12
|
include = /etc/prelude/default/global.conf
|
13
|
|
14
|
|
15
|
# Address where the prelude-manager server is listening on.
|
16
|
# if value is unix, or unix:/path/to/unix/socket, an UNIX domain socket
|
17
|
# will be used.
|
18
|
#
|
19
|
# Multiple listen address are supported.
|
20
|
#
|
21
|
# listen = address:port
|
22
|
listen = unix:/tmp/prelude-manager.socket
|
23
|
# listen = unix
|
24
|
#
|
25
|
listen = 127.0.0.1
|
26
|
|
27
|
|
28
|
# Sets the user/group ID as which prelude-manager will run.
|
29
|
# In order to use this option, prelude-manager must be run initially as
|
30
|
# root
|
31
|
#
|
32
|
user = root
|
33
|
group = root
|
34
|
|
35
|
|
36
|
#
|
37
|
# Scheduler settings for Prelude-Manager
|
38
|
#
|
39
|
# On systems with many concurrent sensors sending events to
|
40
|
# Prelude-Manager, Prelude-Manager might have an hard time keeping up
|
41
|
# with the demand for events reporting.
|
42
|
#
|
43
|
# The Prelude Manager scheduler allocate reporting time per sensor,
|
44
|
# allowing to define the maximum number of events processed for one
|
45
|
# sensor before processing others sensors events (in case a sensor is
|
46
|
# sending a continuous events burst, this prevent other sensors
|
47
|
# starvation).
|
48
|
#
|
49
|
# By default, for each sensor connected, a maximum of 100 events will
|
50
|
# be processed before processing others sensors events.
|
51
|
#
|
52
|
# Additionally, priority will be given to events depending on their
|
53
|
# priority. Assuming there is enough events of each priority, 50 high
|
54
|
# priority message will be processed, 30 medium, and 20 low (totalling
|
55
|
# the maximum of 100 described above).
|
56
|
#
|
57
|
# You might use the sched-priority option in order to change this
|
58
|
# setting:
|
59
|
#
|
60
|
# sched-priority = high:50 medium:30 low:20
|
61
|
#
|
62
|
#
|
63
|
# When the number of events waiting to be processed exceed the defined
|
64
|
# amount of reserved memory (default is 1 Megabyte), Prelude-Manager
|
65
|
# will start storing events on disk:
|
66
|
#
|
67
|
# sched-buffer-size = 1M
|
68
|
|
69
|
|
70
|
#
|
71
|
# Number of bits of the prime used in the Diffie Hellman key exchange.
|
72
|
# Note that the value should be one of 768, 1024, 2048, 3072 or 4096.
|
73
|
# The default is 1024.
|
74
|
#
|
75
|
# dh-prime-length = 1024
|
76
|
|
77
|
|
78
|
# How often to regenerate the parameters used in the Diffie Hellman key
|
79
|
# exchange. These should be discarded and regenerated once a day, once
|
80
|
# a week or once a month. Depending on the security requirements.
|
81
|
#
|
82
|
# Generation is a CPU intensive operation. The value is in hours,
|
83
|
# 0 disables regeneration entirely. The default is 24 hours.
|
84
|
#
|
85
|
# dh-parameters-regenerate = 24
|
86
|
|
87
|
|
88
|
# If you want this Manager to retrieve message from another Manager
|
89
|
# (useful if the other Manager is located within a DMZ):
|
90
|
#
|
91
|
# child-managers = x.x.x.x
|
92
|
#
|
93
|
# This mean the messages should be gathered from x.x.x.x
|
94
|
|
95
|
#
|
96
|
# If you want a given reporting plugin to be protected against possible
|
97
|
# failure, use the failover option. Failover will prevent data sent to
|
98
|
# the report plugin to be lost in case this one fail.
|
99
|
#
|
100
|
# You might use this option multiple time for different plugins.
|
101
|
#
|
102
|
# failover = name_of_plugin
|
103
|
|
104
|
|
105
|
#
|
106
|
# Events normalization parameters
|
107
|
#
|
108
|
# Un-comment the following section in case you want to define any
|
109
|
# normalization parameters:
|
110
|
#
|
111
|
# [normalize]
|
112
|
#
|
113
|
# For each incoming events, Prelude-Manager will run a number of
|
114
|
# normalization routine: sanitize address, services information, etc.
|
115
|
#
|
116
|
# When the normalizer see an incoming IPv4 mapped IPv6 address, the
|
117
|
# default behavior is to map it back to raw IPv4. For example,
|
118
|
# ::ffff:192.168.0.1 will be mapped back to 192.168.0.1
|
119
|
#
|
120
|
# If you do not want IPv4 mapped IPv6 addresses, un-comment the
|
121
|
# following option:
|
122
|
#
|
123
|
# keep-ipv4-mapped-ipv6
|
124
|
#
|
125
|
# Alternatively, if you wish for any input IPv4 addresses to be
|
126
|
# converted to IPv6, un-comment the following option:
|
127
|
#
|
128
|
# ipv6-only
|
129
|
|
130
|
|
131
|
####################################
|
132
|
# Here start plugins configuration #
|
133
|
####################################
|
134
|
|
135
|
# [relaying]
|
136
|
#
|
137
|
# If you want the message caught by this manager to be relayed.
|
138
|
# You can use boolean AND and OR to make the rule.
|
139
|
#
|
140
|
# parent-managers = x.x.x.x || y.y.y.y && z.z.z.z
|
141
|
#
|
142
|
# This mean the emission should occur on x.x.x.x or, if it fail, on
|
143
|
# y.y.y.y and z.z.z.z (if one of the two host in the AND fail, the
|
144
|
# emission will be considered as failed involving saving the message
|
145
|
# locally).
|
146
|
|
147
|
|
148
|
[db]
|
149
|
|
150
|
# The type of database: mysql, pgsql or sqlite3.
|
151
|
type = mysql
|
152
|
|
153
|
# Only if you use sqlite3.
|
154
|
# file = /your/path/to/your/db/idmef-db.sql
|
155
|
|
156
|
# Host the database is listening on.
|
157
|
host = localhost
|
158
|
|
159
|
# Port the database is listening on.
|
160
|
port = 3306
|
161
|
|
162
|
# Name of the database.
|
163
|
name = prelude
|
164
|
|
165
|
# Username to be used to connect the database.
|
166
|
user = root
|
167
|
|
168
|
# Password used to connect the database.
|
169
|
pass = @pple
|
170
|
|
171
|
|
172
|
|
173
|
# [XmlMod]
|
174
|
#
|
175
|
# The Xmlmod plugin allow to report alert as IDMEF XML in a file,
|
176
|
# or to dump theses alert to stderr.
|
177
|
#
|
178
|
# The default behavior is to write output to stderr.
|
179
|
#
|
180
|
# Tell Xmlmod to disable output file buffering.
|
181
|
# This will prevent XML alerts to be truncated and thus make real-time
|
182
|
# parsing easier:
|
183
|
#
|
184
|
# disable-buffering
|
185
|
#
|
186
|
#
|
187
|
# Tell Xmlmod to check generated XML against IDMEF DTD:
|
188
|
# validate
|
189
|
#
|
190
|
# Tell Xmlmod to produce a pretty, human readable xml output:
|
191
|
# format
|
192
|
#
|
193
|
# logfile = stderr
|
194
|
# logfile = /var/log/prelude-xml.log
|
195
|
|
196
|
|
197
|
|
198
|
# [Debug]
|
199
|
#
|
200
|
# The Debug plugin allow to report alert as text in a file,
|
201
|
# or to dump theses alert to stderr.
|
202
|
#
|
203
|
# The default behavior is to write output to stderr.
|
204
|
#
|
205
|
# logfile = stderr
|
206
|
# logfile = /var/log/prelude.log
|
207
|
#
|
208
|
# You can specify the name of the IDMEF object to print (you might
|
209
|
# select multiple objects). If no object are provided, 'Debug' will
|
210
|
# print out the entire message.
|
211
|
#
|
212
|
# object = alert.classification.text, alert.source(0).node.address(0).address
|
213
|
|
214
|
|
215
|
# [TextMod]
|
216
|
#
|
217
|
# The Debug plugin allow to report alert as text in a file,
|
218
|
# or to dump theses alert to stderr.
|
219
|
#
|
220
|
# The default behavior is to write output to stderr.
|
221
|
#
|
222
|
# logfile = stderr
|
223
|
# logfile = /var/log/prelude.log
|
224
|
|
225
|
|
226
|
|
227
|
####################################
|
228
|
# Filtering plugins configuration #
|
229
|
####################################
|
230
|
|
231
|
# The idmef-criteria filtering plugin allow you to filter events based
|
232
|
# on specific IDMEF-Criteria.
|
233
|
#
|
234
|
# [idmef-criteria]
|
235
|
# rule = alert.classification.text == 'User login successful'
|
236
|
# hook = relaying[default]
|
237
|
#
|
238
|
# Will forward any events that match the defined criteria to the
|
239
|
# default instance of the relaying reporting plugin. The rule argument
|
240
|
# might also be a filename containing the rules. Example:
|
241
|
#
|
242
|
# rule = /path/to/rule.file
|
243
|
|
244
|
|
245
|
# The thresholding filtering plugin allow you to suppress events based
|
246
|
# on their value.
|
247
|
#
|
248
|
# [thresholding]
|
249
|
# path = alert.classification.text, alert.source.node.address.address
|
250
|
# limit = 3600
|
251
|
# count = 1
|
252
|
# hook = relaying[default]
|
253
|
#
|
254
|
# Will forward one event with the unique alert.classification.text,
|
255
|
# alert.source.node.address.address value combination to the 'default'
|
256
|
# instance of the 'relaying' reporting plugin. Further events with the
|
257
|
# same value will be suppressed for 3600 seconds.
|
258
|
#
|
259
|
#
|
260
|
# [thresholding]
|
261
|
# path = alert.classification.text, alert.source.node.address.address
|
262
|
# threshold = 3600
|
263
|
# count = 10
|
264
|
# hook = relaying[default]
|
265
|
#
|
266
|
# Will forward every tenth event per 3600 seconds with the unique
|
267
|
# alert.classification.text, alert.source.node.address.address value
|
268
|
# combination to the 'default' instance of the 'relaying' reporting
|
269
|
# plugin.
|
270
|
#
|
271
|
# Note that limit and threshold might be combined, allowing to setup a
|
272
|
# limit as soon as the first threshold is reached.
|
273
|
|
274
|
|
275
|
|
276
|
####################################
|
277
|
# Prelude generic configuration #
|
278
|
####################################
|
279
|
|
280
|
# [prelude]
|
281
|
#
|
282
|
# This is the global prelude section, where you can define Prelude
|
283
|
# related options. Option of matter for Prelude-Manager, are, most
|
284
|
# specifically, in the context of relaying, the connection options:
|
285
|
#
|
286
|
# The following settings instruct the operating system when to consider
|
287
|
# a connection dead in case sent data is left unacknowledged.
|
288
|
#
|
289
|
# Theses option are operating system specific, and might not work on
|
290
|
# certain platform. In case you modify these settings on an unsupported
|
291
|
# system, a warning message will be issued when the agent starts.
|
292
|
#
|
293
|
# Under Linux, the default system wide configuration is:
|
294
|
# tcp-keepalive-time = 7200
|
295
|
# tcp-keepalive-probes = 9
|
296
|
# tcp-keepalive-intvl = 75
|
297
|
#
|
298
|
# tcp-keepalive-time represents the number of seconds the connection
|
299
|
# needs to be idle before TCP begins sending out keep-alive probes.
|
300
|
#
|
301
|
# tcp-keepalive-probes represent the number of not acknowledged probes
|
302
|
# to send before considering the connection dead.
|
303
|
#
|
304
|
# tcp-keepalive-intvl represents the interval between subsequent
|
305
|
# keepalive probes.
|
306
|
#
|
307
|
# The average time to notice a dead connection can be calculated using:
|
308
|
# tcp-keepalive-time + (tcp-keepalive-probes * tcp-keepalive-intvl)
|
309
|
#
|
310
|
# Here is an example configuration:
|
311
|
# tcp-keepalive-time = 60
|
312
|
# tcp-keepalive-probes = 3
|
313
|
# tcp-keepalive-intvl = 10
|
314
|
#
|
315
|
# Using the above settings, a dead connection will be detected within
|
316
|
# 90 seconds.
|
317
|
|