[Prelude-correlator] How to indicate prelude-correlator where to find rules?
Added by Steven Shawn over 5 years ago
Hello,
I'm new to Prelude, and I achieved to deploy a simple system composed of two computers (A and B). A is a sensor that sends alerts to the B's prelude-manager instance. I created a simple rule placed at /etc/prelude-correlator/rules/MyPlugin.py. I have extracted the code form prelude's oficial documentation:
from preludecorrelator.pluginmanager import Plugin
print("*** Any global initialization code goes here")
class MyPlugin(Plugin):
def run(self, idmef):
print("*** This function is going to be called when Prelude-Correlator receives an IDMEF event")
I launched correctly the prelude-manager and prelude-correlator instances, and they perform the TLS verification. When I sent and event from the sensor, the prelude-managers received it correcly and stores it in the DB. I sniffed the comunication with tcpdump and I can see that after the prelude-manager receives the whole event from A, it then start a comunication with itself (I supposed it is the prelude-manager sending the events to the prelude-correlator). But it seems that the MyPlugin rule is not being executed, at least I can't see any output.
prelude-correlator 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [BusinessHourPlugin]: disabled on user request 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [FirewallPlugin]: disabled on user request 07 Feb 15:08:49 prelude-correlator (process:4450) WARNING: SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin: No module named netaddr 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [DshieldPlugin]: Downloading host list, this might take some time... 07 Feb 15:08:49 prelude-correlator (process:4450) WARNING: [DshieldPlugin]: exception occurred while loading: Could not download DShield host list, error 301 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: 6 plugin have been loaded. 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: Connecting to <prelude-manager_ip>:4690 prelude Manager server. 07 Feb 15:08:49 prelude-correlator (process:4450) INFO: TLS authentication succeed with Prelude Manager.
I registered the prelude-correlator with idmef:rw permissions.
My config prelude-correlator.conf file is:
# This is a template configuration file for prelude-correlator # [include](!) include = /etc/prelude/default/idmef-client.conf [MyPlugin](!) disable = false # [BruteForcePlugin] # disable = false # # Disable BusinessHour correlation by default since it is very verbose [BusinessHourPlugin] disable = true # # [OpenSSHAuthPlugin] # disable = false # # [EventScanPlugin] # disable = false # # [EventStormPlugin] # disable = false # # [EventSweepPlugin] # disable = false # # [WormPlugin] # disable = false # repeat-target = 5 # # [DshieldPlugin] # disable = false # # How often the Dshield database should be reloaded (download + reload) # (default: once a week). 0 to disable reloading. # reload = 604800 # # The server address where the Dshield database is loaded from: # server = www.dshield.org # # URI used to retrive the dshield database: # uri = /ipsascii.html?limit=10000 # # Define the maximum allowed time for downloading the database # (only work with Python >= 2.6, default is 10 seconds) # timeout = 10 # This plugin will report CorrelationAlert for events / sets of events # that appear to have passed through a firewall known to protect the # target machine. # # If no firewall ever emit block concerning a given host, then this host # is considered un-protected, and there is no point in reporting # CorrelationAlert. # # The 'flush-protected-hosts' variable allow you to define how much # time a given target hosts should be considered as protected when a # firewall drop is noticed for this machine. # # The plugin is disabled by default since it tend to be very verbose [FirewallPlugin] disable = True flush-protected-hosts = 3600 [python_rules](!) # Python rules folder paths = /etc/prelude-correlator/rules ## # Logging configuration might also be defined in this file: # http://docs.python.org/library/logging.html
The fields marked with ( ! ) are the ones I added. But I can't figured out the correct way to specify the prelude-correlator where to find the rules to be used. I read the documentation and I don't see any reference to it.
Thank you for your help
Replies (6)
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Antoine LUONG over 5 years ago
Hello,
What version of prelude-correlator are you using?
Regards
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Steven Shawn over 5 years ago
Antoine LUONG wrote:
Hello,
What version of prelude-correlator are you using?
Regards
The output of prelude-correlator --version says
prelude-correlator 1.0.0
Regards
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Antoine LUONG over 5 years ago
This version is not supported anymore. Please upgrade to the latest version available on your distribution.
Regards
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Steven Shawn over 5 years ago
Antoine LUONG wrote:
This version is not supported anymore. Please upgrade to the latest version available on your distribution.
Regards
Thank you for your quick reply. Once updated, when I tried to start it, it says:
pkg_resources.DistributionNotFound: The 'prelude>=5.0.0' distribution was not found and is required by prelude-correlator
Which prelude is it talking about? Prelude-manager? Libprelude?...
Regards
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Antoine LUONG over 5 years ago
It's the libprelude.
Regards
RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Steven Shawn over 5 years ago
Thank you!
It's working now!