Project

General

Profile

[Solved] Prelude-Manager : Prelude Heartbeat and SMTP plugin

Added by Romain Duperré almost 7 years ago

Hello,

How can I prevent the SMTP plugin to send me "Prelude Heartbeat" emails ?

I tried this in /etc/prelude-manager/prelude-manager.conf :

[textmod=null]
 logfile = /dev/null

[thresholding]
 path = heartbeat
 limit = 3600
 count = 1
 limit = 1
 hook = textmod[null]

[idmef-criteria]
 rule = heartbeat.messageid != "" 
 hook = textmod[null]

But I still receive tons of heartbeat emails.
This was not the case before...
I restart prelude-manager SMTP plugin after a long time and Prelude Heartbeat emails suddenly appeared.


Replies (4)

RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Song TRAN almost 7 years ago

Hello,

Can you show us a mail containing Prelude Heartbeat ? (obfuscate your sensitive information)

If you enable smtp-plugin, you will receive all alerts IDMEF (without heartbeats), that's why a filter IDMEF must be set. Here is a example:

[idmef-criteria]
rule = alert.classification.text == 'User login successful'
rule = alert.assessment.impact.severity == medium
hook = smtp[default]

Here, you will receive mails containing alerts with classification text = "User login successful" and severity = "medium"
Don't forget to restart prelude-manger.

RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Romain Duperré almost 7 years ago

Thanks,

The mails body looks like this :

version: <empty>
heartbeat:
        messageid: b09345b4-4b4c-12e5-b47a
        analyzer(0):
                analyzerid: 2891201279537359
                name: prelude-manager
                manufacturer: http://www.prelude-ids.com
                model: Prelude Manager
                version: 1.0.1
                class: Concentrator
                ostype: Linux
                osversion: ...
                node:
                        category: unknown (0)
                        name: name1
                        address(0):
                                category: ipv4-addr (7)
                                address: ip1
                process:
                        name: prelude-manager
                        pid: 24940
                        path: /usr/sbin/prelude-manager
        analyzer(1):
                analyzerid: 772129246787006
                name: prelude-lml
                manufacturer: http://www.prelude-ids.com
                model: Prelude LML
                version: 1.0.0
                class: Log Analyzer
                ostype: Linux
                osversion: ...
                node:
                        category: unknown (0)
                        name: name2
                process:
                        name: prelude-lml
                        pid: 477
                        path: /usr/bin/prelude-lml
        create_time: 24/08/2015 12:41:34.507148 +02:00
        analyzer_time: 24/08/2015 15:30:01.539766 +02:00
        heartbeat_interval: 600
        additional_data(0):
                type: string (0)
                meaning: Analyzer status
                data: running
        additional_data(1):
                type: string (0)
                meaning: Analyzer SHA1
                data: c81e8f49cfaff531abdf2d20844ezcd9f4597ba4

I already receive all alerts (there is no filter IDMEF on alert.*) and this is ok ; I understand i can filter these ones.
But I receive the heartbeats too and this is a problem.
With the configuration I proposed, I tried to say "I don't want the heartbeat.* messages".

Based on your example, i set this filter :

[idmef-criteria]
rule = alert.assessment.impact.severity == medium
hook = smtp[default]

I don't receive heartbeat messages anymore and this is great.
But what if I want to receive all alerts, not just with a medium severity ?

Regards,

RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Yoann VANDOORSELAERE almost 7 years ago

Hello Romain,

If you only want to filter out heartbeat, then you can use :

[idmef-criteria]
rule = !heartbeat
hook = smtp[default]

RE: Prelude-Manager : Prelude Heartbeat and SMTP plugin - Added by Romain Duperré almost 7 years ago

Hello Yoann,

This is what I need.

Thanks for your time.

    (1-4/4)