UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2008-10-15T15:59:26ZUNITY 360
Redmine Prelude-LML - Feature #326 (Closed): Deprecate Gamin/FAM in favor of libev.http://www.prelude-siem.org/issues/3262008-10-15T15:59:26ZYoann VANDOORSELAERE
<p>Deprecate Gamin/FAM support in favor of libev: the current implementation have problem on SELinux enabled system due to Gamin server startup being triggered by other program, and thus using improper role for Prelude-LML.</p>
<p>Additionally, this will remove a lot of code working around FAM specific issue, and provide Operating System specific improvement for the UDP server socket monitoring feature.</p>
<p>We will also use libev in order to monitor file that are not available for reading on startup: once the file can be monitored, libev will provide us with a notification.</p>
<p>Implementing this functionality should have the side effect of fixing <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: prelude lml refuses to read a logfile (Closed)" href="http://www.prelude-siem.org/issues/291">#291</a>.</p> Prelude Correlator - Bug #295 (Closed): Ocasional LUA error messagehttp://www.prelude-siem.org/issues/2952008-06-30T13:48:32ZYoann VANDOORSELAERE
<pre>
ERROR: LUA error on 'firewall': /etc/prelude-correlator/lua-rules/firewall.lua:35: attempt to index local 'result' (a nil value). (lua.c:148 lua_run)
</pre>
<p>This seems to happen when using the IDMEF:get() method using 2 wiki:IDMEFPath arguments (1, 3 or more work).</p> Libprelude - Feature #293 (Closed): Libprelude EasyBindingshttp://www.prelude-siem.org/issues/2932008-06-25T16:38:01ZYoann VANDOORSELAERE
<p>[[EasyBindings]] are an enhancement to the current low-level languages bindings exported by libprelude.</p>
<p>The project is about making the Libprelude API trivial to use from the C++, Perl, and Python language. Improvement to the C API are also planned.</p>
<p>The current development code is available from the <a href="https://trac.prelude-ids.org/browser/libprelude/branches/libprelude-easy-bindings" class="external">EasyBindings branche</a> in the svn repository, which can be checked out using the following command:</p>
<pre>
svn co http://svn.prelude-ids.org/libprelude/branches/libprelude-easy-bindings
</pre> PRELUDE SIEM - Feature #292 (Closed): Native Prelude support for ClamAVhttp://www.prelude-siem.org/issues/2922008-06-25T16:30:35ZYoann VANDOORSELAERE
<p>Native Prelude support for <a href="http://www.clamav.net/" class="external">ClamAV</a> is being developed. This ticket will serve as a central point for discussion and progress tracking of this development.</p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre> Prelude Manager - Bug #196 (Closed): XML output corruptionhttp://www.prelude-siem.org/issues/1962007-02-05T13:45:21ZYoann VANDOORSELAERE
<p>There is a corruption issue with Prelude-Manager XMLmod output. The problem happen independently from the XML output method.</p>
<p>Example of corruption:<br /><pre>
<AdditionalData type="byte-string" meaning="payload"<IDMEF-Message><Heartbeat>
</pre></p> Prelude Correlator - Bug #141 (Closed): Support for setting multiple context at once from multipl...http://www.prelude-siem.org/issues/1412006-04-01T00:35:53ZYoann VANDOORSELAERE
<p>Support need to be implemented so that it is possible to retrieve list of IDMEF value and assign multiple context for each retrieved value. For example, we might want to create multiple address context out of the content of alert.source(<strong>).node.address(</strong>).address.</p>
<p>When retrieving such an object, the IDMEF value API should be used in order to iterate the returned idmef_value_t object. We should then be able to bind these value to a specific action (in the example ahead $1* would mean to replicate the create action for each value contained in $1).</p>
<pre>
pattern = alert.source(*).node.address(*).address: (.*);
action = create TARGET_ADDRESS_$1*;
</pre>
<p>For example, if the resulting IDMEF value contain x.x.x.x and y.y.y.y, the action should expand to:</p>
<pre>
create TARGET_ADDRESS_x.x.x.x;
create TARGET_ADDRESS_y.y.y.y;
</pre> Prelude Correlator - Feature #128 (Closed): Prelude integration within SEChttp://www.prelude-siem.org/issues/1282006-01-28T01:33:55ZYoann VANDOORSELAERE
<p>Following the recent discussion about integrating correlation capability<br />in Prelude using the SEC program, which would currently consist of:</p>
<pre>
Prelude-Manager(XMLmod) -> SEC(logfile) -> Prelude-LML ->
Prelude-Manager
</pre>
<p>I thought that we should rather try to get it done right the first time rather than satisfying of the hack described above. I talked with Rob Holland from Inverse Path (Perl coder and Prelude contributor) about integrating directly Prelude support within SEC.</p>
<p>The integration is going to be done in two steps:</p>
<pre><code>1. Integrate Prelude like reporting capability within SEC, so that it can directly report alert to Prelude. This way, the schema above will be changed to:</code></pre>
<pre>
Prelude-Manager (XMLmod) -> SEC -> Prelude-Manager
</pre>
2. Implement the ability in SEC to directly match IDMEF message. This will change the schema above to:
<pre>
Prelude-Manager <-> SEC
</pre>
<p>We hope that the result of this effort will then be included in the vanilla SEC distribution. Please post any thought or comment about the upcoming Prelude integration within the SEC program here.</p> Prelude-LML - Bug #109 (Closed): Fix Prelude-LML static compilationhttp://www.prelude-siem.org/issues/1092005-11-18T09:00:32ZYoann VANDOORSELAERE
<p>Compiling Prelude-LML statically with FAM support enabled fail with undefined references.</p> Prelude-LML - Bug #108 (Closed): Target Node remain empty when using --no-resolvehttp://www.prelude-siem.org/issues/1082005-11-18T08:56:10ZYoann VANDOORSELAERE
<p>Ideally, when the user specify that he doesn't want DNS lookup, the raw target hostname should be set without further lookup operation to get target information.</p> Prelude-LML - Feature #107 (Closed): Multiple format per LML sourceshttp://www.prelude-siem.org/issues/1072005-11-18T08:51:22ZYoann VANDOORSELAERE
<p>Implement the ability to read different log input format from the same LML source.</p>
<pre>
[format=syslog]
time-format = "%b %d %H:%M:%S"
prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
udp-server = 0.0.0.0:514
[format=apache]
prefix-regex = "^(?P<hostname>\S+) - - \[(?P<timestamp>.{20}) \+.{4}\] "
time-format = "%d/%b/%Y:%H:%M:%S"
udp-server = 0.0.0.0:514
</pre>
<p>Example above will allow LML to understand both format on the 0.0.0.0:514 source.</p> Prewikka - Bug #49 (Closed): Do not rely on ident to get the latest alert/heartbeathttp://www.prelude-siem.org/issues/492004-10-28T19:01:50ZYoann VANDOORSELAERE
<p>Currently, Prewikka consider the heartbeat in database with the highest ident to be the last heartbeat that has been added to the database. This is wrong since the ident allocation scheme drasticaly changed, and even through ident are unique, it shouldn't be assumed that there number is increasing incrementaly. Moreover this specificity is not described by the IDMEF standard and would result in incorrect behavior with other IDMEF database implementation.</p>
<p>In order to get the latest heartbeat in database, Prewikka should rely on the create_time field contained within the heartbeat.</p> Prewikka - Bug #48 (Closed): Additional data of type 'byte' dumped incorrectly.http://www.prelude-siem.org/issues/482004-10-28T18:57:57ZYoann VANDOORSELAERE
<p>Currently, Prewikka simply print the content of additional data without taking care of the 'type' of the data represented.</p>
<p>Typically, in case theses data are raw byte, Prewikka should issue two dump of the data:<br />- An ASCII dump of the printable byte.<br />- An hexadecimal dump of the whole data.</p> Prelude-LML - Bug #46 (Closed): lml rely on un-portable strptime behavior.http://www.prelude-siem.org/issues/462004-07-23T18:07:48ZYoann VANDOORSELAERE
<p>It is not specified whether strptime will modify the member of a localtime struct when theses member are not matched by the format string. This, for example result in a bug on Solaris 7.</p>