UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2008-10-15T15:59:26ZUNITY 360
Redmine Prelude-LML - Feature #326 (Closed): Deprecate Gamin/FAM in favor of libev.http://www.prelude-siem.org/issues/3262008-10-15T15:59:26ZYoann VANDOORSELAERE
<p>Deprecate Gamin/FAM support in favor of libev: the current implementation have problem on SELinux enabled system due to Gamin server startup being triggered by other program, and thus using improper role for Prelude-LML.</p>
<p>Additionally, this will remove a lot of code working around FAM specific issue, and provide Operating System specific improvement for the UDP server socket monitoring feature.</p>
<p>We will also use libev in order to monitor file that are not available for reading on startup: once the file can be monitored, libev will provide us with a notification.</p>
<p>Implementing this functionality should have the side effect of fixing <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: prelude lml refuses to read a logfile (Closed)" href="http://www.prelude-siem.org/issues/291">#291</a>.</p> Prelude Correlator - Bug #295 (Closed): Ocasional LUA error messagehttp://www.prelude-siem.org/issues/2952008-06-30T13:48:32ZYoann VANDOORSELAERE
<pre>
ERROR: LUA error on 'firewall': /etc/prelude-correlator/lua-rules/firewall.lua:35: attempt to index local 'result' (a nil value). (lua.c:148 lua_run)
</pre>
<p>This seems to happen when using the IDMEF:get() method using 2 wiki:IDMEFPath arguments (1, 3 or more work).</p> Libprelude - Feature #293 (Closed): Libprelude EasyBindingshttp://www.prelude-siem.org/issues/2932008-06-25T16:38:01ZYoann VANDOORSELAERE
<p>[[EasyBindings]] are an enhancement to the current low-level languages bindings exported by libprelude.</p>
<p>The project is about making the Libprelude API trivial to use from the C++, Perl, and Python language. Improvement to the C API are also planned.</p>
<p>The current development code is available from the <a href="https://trac.prelude-ids.org/browser/libprelude/branches/libprelude-easy-bindings" class="external">EasyBindings branche</a> in the svn repository, which can be checked out using the following command:</p>
<pre>
svn co http://svn.prelude-ids.org/libprelude/branches/libprelude-easy-bindings
</pre> PRELUDE SIEM - Feature #292 (Closed): Native Prelude support for ClamAVhttp://www.prelude-siem.org/issues/2922008-06-25T16:30:35ZYoann VANDOORSELAERE
<p>Native Prelude support for <a href="http://www.clamav.net/" class="external">ClamAV</a> is being developed. This ticket will serve as a central point for discussion and progress tracking of this development.</p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre> Prelude Manager - Bug #196 (Closed): XML output corruptionhttp://www.prelude-siem.org/issues/1962007-02-05T13:45:21ZYoann VANDOORSELAERE
<p>There is a corruption issue with Prelude-Manager XMLmod output. The problem happen independently from the XML output method.</p>
<p>Example of corruption:<br /><pre>
<AdditionalData type="byte-string" meaning="payload"<IDMEF-Message><Heartbeat>
</pre></p> Libprelude - Bug #26 (Closed): Modification of message emission behavior with manager ANDhttp://www.prelude-siem.org/issues/262004-06-11T11:08:45ZYoann VANDOORSELAERE
<p>Currently when using
{{<br />manager_addr = x.x.x.x && y.y.y.y <br />}}</p>
<p>The emission will stop if emission to x.x.x.x fail. However, from a practical point of view, people who use AND of manager for redondancy want both manager to receive exactly the same messages, even if one of the Manager fail.</p>
<p>Thus, in case emission x.x.x.x fail, we still want to emit the message to y.y.y.y, and save the failed message associating them to x.x.x.x manager, for later emission.</p> Libprelude - Bug #25 (Closed): Generic failover implementationhttp://www.prelude-siem.org/issues/252004-06-11T11:03:21ZYoann VANDOORSELAERE
<p>Share the same failover implementation for report-plugins failover and message emission failover.</p> Libprelude - Bug #22 (Closed): Recursive configuration file inclusionhttp://www.prelude-siem.org/issues/222004-06-07T17:52:05ZYoann VANDOORSELAERE
<p>Prelude configuration files should be able to include other context dependant file.</p>
<p>As an example, we should be able to split sensors-default.conf into a sensors only options file, and a common (sensors + managers) options file. The needed files would be included from the sensors/manager main configuration file.</p>
<p>This change is needed due to the ongoing API unification.</p> Prelude Manager - Feature #17 (Closed): prelude-manager should send heartbeathttp://www.prelude-siem.org/issues/172004-06-05T15:41:18ZYoann VANDOORSELAERE
<p>Using the same mechanism that sensors use, with the exception that the heartbeat should be directly available to it's reporting plugins, and not only relayed to other parent managers.</p> Prewikka - Feature #15 (Closed): Heartbeat viewhttp://www.prelude-siem.org/issues/152004-06-03T11:25:34ZYoann VANDOORSELAERE
<p>We need an heartbeat view, similar to the alert view, in prewikka, providing:</p>
<p>- Heartbeat list, similar to the one Piwi provide.<br />- Ability to see heartbeat detail.<br />- Statistical analysis of heartbeat reception linearity.</p> Libprelude - Bug #14 (Closed): sensor.c API reworkhttp://www.prelude-siem.org/issues/142004-06-03T11:16:44ZYoann VANDOORSELAERE
<p>Need to clean up the mess in sensor.c, use a per sensor object instead of using global everywhere. Cleanup and review the interface.</p>
<p><a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: idmef-criteria-string.lex.l require recent flex version (Closed)" href="http://www.prelude-siem.org/issues/11">#11</a> and <a class="issue tracker-2 status-5 priority-5 priority-high3 closed" title="Feature: Ability to run several analyzer instance (Closed)" href="http://www.prelude-siem.org/issues/12">#12</a> depend on this ticket.</p> Libprelude - Feature #13 (Closed): Provide the ability for the user to define the analyzer config...http://www.prelude-siem.org/issues/132004-06-03T10:09:37ZYoann VANDOORSELAERE
<p>Currently each analyzer hardcode access to it's own configuration file. We need to add a 'config-file' command line option, overriding default hardcoded analyzer configuration file.</p>
<p>In combination with ticket <a class="issue tracker-2 status-5 priority-5 priority-high3 closed" title="Feature: Ability to run several analyzer instance (Closed)" href="http://www.prelude-siem.org/issues/12">#12</a>, this will allow to have several analyzer instance running with their own independant configuration.</p> Libprelude - Feature #12 (Closed): Ability to run several analyzer instancehttp://www.prelude-siem.org/issues/122004-06-03T10:05:09ZYoann VANDOORSELAERE
<p>Provide the ability to run several instance of an analyzer on the same machine. This require that theses sensors are identified by a user defined name (this name is not customizable currently), so that a sensor instance get it's own analyzerid.</p>
<p>This will be done by adding a default analyzer-name option, available from the command line and the configuration file.</p>
<p>Additionally, this option need to be handled prior to any other option which might depend on this one, which will require for better support of option priority handling with prelude-getopt.c</p>