UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2022-06-16T08:36:22ZUNITY 360
Redmine PRELUDE SIEM - Bug #1253 (New): Support on K8s Prelude Siem versionhttp://www.prelude-siem.org/issues/12532022-06-16T08:36:22ZQuentin Maraval
<p>Hello,<br />i am currently working on the "chartization" of Prelude in order to get it running inside Kubernetes cluster.<br />I used this repository <a class="external" href="https://github.com/fpoirotte/docker-prelude-siem">https://github.com/fpoirotte/docker-prelude-siem</a> that does the same work for docker with OSS version of prelude.</p>
<p>I updated the docker image, changed the Os container from Centos to Opensuse leap.<br />I have the project running (not tested the correlator yet), however it still on OSS version and i would like to get it running in SIEM version.</p>
<p>So to achieve this i will need some support from you on this task.</p>
<p>I have a couple questions :<br />- Where can i download the packages for SIEM version for Opensuse ? <br />- How can we proceed for key generation/licence knowing that the helm chart deployment can occurs many times as we are on cloud (delete/reinstall for testing purpose etc..)</p>
<p>Thanks,<br />Quentin</p> Prewikka - Support #1153 (Assigned): Suricata changes the output from version 4http://www.prelude-siem.org/issues/11532019-11-07T18:40:10ZAndrew Goldy
<p>Hello Guys!</p>
<p>Suricata might has changed? the default prelude-alert output, because comparing to the old release 3.x the alert text was the alert name for example "ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)", and now the alert text is swapped to description for example "Potential Corporate Privacy Violation".<br />Moreover comparing to snort its confirmed something was wrong with the alerting output at least in case of prelude in suricata.</p>
<p>Below the real world examples with the same alert from snort and suricata aspects. Both outputs are natively forwarded to prelude. <br />I've contacted suricata for months but still no answer... Is there any workaround to swap the two columns regarding suricata?</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1184/tempsnip.png" alt="" /></p>
<p>Suricata:</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1186/jzff.PNG" alt="" /></p>
<p>Snort:</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1185/ftzfztfztd.PNG" alt="" /></p>
<p>Many thanks! <img src="/plugin_assets/redmine_wiki_extensions/images/smile.png" alt=":)"></p> PRELUDE SIEM - Bug #1134 (Assigned): prewikka install on raspbianhttp://www.prelude-siem.org/issues/11342019-08-01T09:21:33ZMarc-Antoine delannoy
<p>Hello, <br />I'm trying to set up the latest version of prelude OSS on raspbian. With some effort I installed almost everything. <br />However, I have a problem with prewikka whose installation doesn't work. I have installed all the dependencies.<br />But I'm getting some errors when I run this command -> python setup.py install</p>
<pre><code class="text syntaxhl"><span class="CodeRay">root@raspberrypi:/home/prelude/prewikka-5.0.2# python setup.py install
running install
running build
running compile_catalog
error: prewikka/locale/de/LC_MESSAGES/prewikka.po:1560: placeholders are incompatible
compiling catalog prewikka/locale/de/LC_MESSAGES/prewikka.po to prewikka/locale/de/LC_MESSAGES/prewikka.mo
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:47: unknown named placeholder u'value'
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:162: unknown named placeholder u'version'
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:1593: placeholders are incompatible
compiling catalog prewikka/locale/ru/LC_MESSAGES/prewikka.po to prewikka/locale/ru/LC_MESSAGES/prewikka.mo
error: prewikka/locale/pl/LC_MESSAGES/prewikka.po:1587: placeholders are incompatible
error: prewikka/locale/pl/LC_MESSAGES/prewikka.po:1870: placeholders are incompatible
compiling catalog prewikka/locale/pl/LC_MESSAGES/prewikka.po to prewikka/locale/pl/LC_MESSAGES/prewikka.mo
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:1554: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2126: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2226: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2231: placeholders are incompatible
compiling catalog prewikka/locale/es/LC_MESSAGES/prewikka.po to prewikka/locale/es/LC_MESSAGES/prewikka.mo
error: prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po:1546: placeholders are incompatible
error: prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po:2119: placeholders are incompatible
compiling catalog prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po to prewikka/locale/pt_BR/LC_MESSAGES/prewikka.mo
compiling catalog prewikka/locale/fr/LC_MESSAGES/prewikka.po to prewikka/locale/fr/LC_MESSAGES/prewikka.mo
error: prewikka/locale/it/LC_MESSAGES/prewikka.po:43: unknown named placeholder u'value'
error: prewikka/locale/it/LC_MESSAGES/prewikka.po:1550: placeholders are incompatible
compiling catalog prewikka/locale/it/LC_MESSAGES/prewikka.po to prewikka/locale/it/LC_MESSAGES/prewikka.mo
compiling catalog prewikka/locale/en/LC_MESSAGES/prewikka.po to prewikka/locale/en/LC_MESSAGES/prewikka.mo
running build_custom
compiling ['themes/dark.less', 'prewikka/htdocs/css/style.less'] -> prewikka/htdocs/css/themes/dark.css
error: [Errno 2] No such file or directory
</span></code></pre>
<p>there is a problem with languages. The second problem I guess it is: prewikka/htdocs/css/themes/dark.css that is not found.<br />Package installation does not seem possible in version 5 for a debian-based distribution (4 is the last version i found).</p>
<p>Do you have any idea how to solve this?<br />Regards</p> PRELUDE SIEM - Bug #1093 (Assigned): prelude-admin Segmentation Fault raspbianhttp://www.prelude-siem.org/issues/10932019-05-06T12:16:55ZMarc-Antoine delannoy
<p>Hello,<br />I am trying to run the libprelude on a raspberry pi to use suricata with the prelude alert format.<br />I download the libprelude-5.0.0.tar.gz and decompress the archive.<br />then:<br /><code><br />./configure<br />make<br />make install<br />LD_LIBRARY_PATH=/usr/local/lib<br />export LD_LIBRARY_PATH<br /></code><br />and when i try to use prelude-admin without argument it works and displays the help message.<br />But if for example i try prelude-admin list it returns a segmentation fault.<br />Same for any argument.</p>
<p>And if i run make check<br />I have 4 errors.<br />the end of the output is:<br /><pre>
make check-TESTS check-local
make[3]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
make[4]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
../test-driver: line 95: 26741 Segmentation fault "$@" > $log_file 2>&1
FAIL: async-timer
PASS: idmef
../test-driver: line 95: 26789 Aborted "$@" > $log_file 2>&1
FAIL: idmef-criteria
PASS: idmef-message-helper
PASS: idmef-path
PASS: idmef-value
../test-driver: line 95: 26885 Segmentation fault "$@" > $log_file 2>&1
FAIL: prelude-client
PASS: prelude-string
../test-driver: line 95: 26933 Segmentation fault "$@" > $log_file 2>&1
FAIL: prelude-timer
make[5]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
make[5]: Nothing to be done for 'all'.
make[5]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
============================================================================
Testsuite summary for libprelude 5.0.0
============================================================================
# TOTAL: 9
# PASS: 5
# SKIP: 0
# XFAIL: 0
# FAIL: 4
# XPASS: 0
# ERROR: 0
============================================================================
See tests/test-suite.log
============================================================================
Makefile:1881: recipe for target 'test-suite.log' failed
make[4]: *** [test-suite.log] Error 1
make[4]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:1987: recipe for target 'check-TESTS' failed
make[3]: *** [check-TESTS] Error 2
make[3]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:2117: recipe for target 'check-am' failed
make[2]: *** [check-am] Error 2
make[2]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:1669: recipe for target 'check-recursive' failed
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory '/home/suricata/libprelude-5.0.0'
Makefile:1954: recipe for target 'check' failed
make: *** [check] Error 2
</pre></p>
<p>Do you have any idea how to solve this?</p>
<p>Regards</p> PRELUDE SIEM - Bug #1082 (Assigned): Problem to register my IDS (Suricata) on Prelude OSShttp://www.prelude-siem.org/issues/10822019-04-12T08:13:59ZMarc-Antoine delannoy
<p>Hi,<br />I have a problem to register my IDS (Suricata) on Prelude OSS. My IDS is on the same network but in a different CentOs VM. The prelude address is 192.168.0.2 and the IDS address is 192.168.0.3<br />I already installed from source : prelude-manager, prelude lml (not used), prelude-admin and libpreludedb. I configured the /usr/local/etc/prelude/default/client.conf<br /> to change the server-addr=127.0.0.1 to server-addr=192.168.0.2<br />Same for prelude-manager.conf with listen = 192.168.0.2:5553<br />I verify the connection between my IDS and my Prelude with a ping.<br />Then I enter the command line on the prelude machine :<br /> prelude-admin registration-server prelude-manager<br />and on the IDS :</p>
<p>prelude-admin register suricata "idmef:w admin:r" 192.168.0.2 –uid 1000 –gid 1500</p>
<p>I copy the one shot password but get this error message on my IDS :<br />Connecting to registration server (192.168.0.2 :5553)<br />Could not connect to 192.168.0.2 port 5553 : No route to host<br />So I scan my port and the number 5553 remains closed throughout all the process. <br />I may have missed a command line or configuration, so i reread the whole doc but I didn’t found anything about it.</p>
<p>Do you have any suggestions?</p>
<p>Thanks.</p> Prewikka - Support #1031 (Assigned): Authentication errorhttp://www.prelude-siem.org/issues/10312019-01-06T17:29:51ZRobin IRLINGER
<p>Hi,</p>
<p>I've a trouble with Auth in Prewikka. It's impossible to enable [auth loginpassword] in /etc/prewikka/prewikka.conf: "Cannot use auth mode 'loginpassword', please contact your local administrator". (cf. print screen)</p>
<p>Do you have any suggestions ?</p>
<p>Thanks.</p>
<p>Robin</p> Libprelude - Bug #893 (New): libprelude-errors failed compile on hhurd-i386http://www.prelude-siem.org/issues/8932017-06-24T14:23:44ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<pre>
make[6]: Entering directory '/<<PKGBUILDDIR>>/src/libprelude-error'
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-sources.h.in >err-sources.h
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-codes.h.in >err-codes.h
LANG="" gawk -f ./mkerrcodes1.awk ./errnos.in >_mkerrcodes.h
gcc -E -P _mkerrcodes.h | grep PRELUDE_ERROR_ | LANG="" gawk -f ./mkerrcodes.awk >mkerrcodes.h
rm _mkerrcodes.h
gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -I. -I. -o mkerrcodes ./mkerrcodes.c
In file included from ./mkerrcodes.c:26:0:
./mkerrcodes.h:3:3: error: expected identifier or '(' before numeric constant
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^~~~
./mkerrcodes.h:3:15: error: expected ')' before '|' token
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^
./mkerrcodes.c: In function 'main':
./mkerrcodes.c:59:31: error: 'err_table' undeclared (first use in this function)
for (i = 0; i < sizeof (err_table) / sizeof (err_table[0]) - 1; i++)
^~~~~~~~~
./mkerrcodes.c:59:31: note: each undeclared identifier is reported only once for each function it appears in
Makefile:1790: recipe for target 'mkerrcodes' failed
</pre> Libprelude - Bug #887 (New): Timer tests on slow systemhttp://www.prelude-siem.org/issues/8872017-05-14T14:22:27ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On slow system, sometimes, timer tests (tests/prelude-timer.c) work works.</p>
<p>Adding "1" to max_expire in for loop solve this</p>
<pre>
- for ( i = 0; i <= max_expire && timer_alive; i++ ) {
+ for ( i = 0; i <= max_expire + 1 && timer_alive; i++ ) {
</pre> Libprelude - Bug #886 (New): Sometimes, test-lock from libmissing wont workshttp://www.prelude-siem.org/issues/8862017-05-14T14:19:50ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Same issues in coreutils and other packages : <a class="external" href="http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246">http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246</a></p>
<p>Hope that gnulib will update this test</p> Libprelude - Bug #885 (New): Segfault with atfork on arm64, armhf and ppc64elhttp://www.prelude-siem.org/issues/8852017-05-14T14:16:45ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>See <a class="external" href="https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430">https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430</a></p> Libprelude - Bug #879 (New): M4 for Ruby on Debian 9 not workinghttp://www.prelude-siem.org/issues/8792017-03-27T22:48:17ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>The actual M4 (3.1, m4/am_path_ruby) can't detect ruby on debian 9</p>
<p>Here is an example of patch :</p>
<pre>
--- libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:00:21.227299410 -0500
+++ libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:01:06.702306372 -0500
@@ -95,7 +95,7 @@
dnl (shared libraries)
AC_CACHE_CHECK([for $am_display_RUBY extension module directory],
[am_cv_ruby_rbexecdir],
- [am_cv_ruby_rbexecdir=`$RUBY -rrbconfig -e "drive = File::PATH_SEPARATOR == ';' ? /\A\w:/ : /\A/; prefix = Regexp.new('\\A' + Regexp.quote(RbConfig::CONFIG[['prefix']])); \\$prefix = RbConfig::CONFIG[['prefix']].sub(drive, ''); \\$sitearchdir = RbConfig::CONFIG[['sitearchdir']].sub(prefix, '\\$(prefix)').sub(drive, ''); print \\$sitearchdir;" 2>/dev/null || echo "${RUBY_EXEC_PREFIX}/local/lib/site_ruby/${RUBY_VERSION}/${RUBY_PLATFORM}"`])
+ [am_cv_ruby_rbexecdir=`$RUBY -r rbconfig -e "print RbConfig::CONFIG[['vendorarchdir']]"`])
AC_SUBST([rbexecdir], [$am_cv_ruby_rbexecdir])
dnl if PKG-CONFIG is available, we use it. Else, we try to dectect RUBY_INCLUDES manually
</pre> Libprelude - Bug #860 (Assigned): Fedora : ruby sitearchdir need to be vendorarchdirhttp://www.prelude-siem.org/issues/8602016-10-31T21:33:18ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On Fedora, sitearchdir is not defined, so ruby "so" file go to /usr/local.</p>
<p>On Fedora it is vendorarchdir</p> LibpreludeDB - Bug #392 (Assigned): Potential security risc in preludedb-admin?http://www.prelude-siem.org/issues/3922011-01-15T15:37:50ZPaul Buetowprelude@mx.buetow.org
<p>Hi!</p>
<p>I wanted to ask a question regarding preludedb-admin.</p>
<p>I am using 0.9.14.1-2 (Debian GNU/Linux Lenny). There is no way not to<br />define the database password (e.g. mysql password) NOT in the command<br />line argument. The password shows up in plain text in the system<br />process list while using preludedb-admin.</p>
<p>It should be possible to "pipe" the arguments to preludedb-admin</p>
<p>The current way:</p>
<p>preludedb-admin delete alert "type=mysql name=prelude user=prelude<br />pass=prelude" --criteria "alert.create_time < $DATE"</p>
<p>"Better way":</p>
<p>some-script-generating-arguments | preludedb-admin</p>
<p>(Alternatively just pipe the "type=mysql name=prelude user=prelude" <br />part)</p>
<p>And / Or:</p>
<p>preludedb-admin --args filename</p>
<p>(Alternatively just read the "type=mysql name=prelude user=prelude" <br />part from file)</p>
<p>And / Or:</p>
<p>Read password from an environment variable:</p>
<p>#/bin/sh</p>
<p>export PRELUDE_PASS=prelude<br />exec preludedb-admin delete alert "type=mysql name=prelude<br />user=prelude" --criteria "alert.create_time < $DATE"</p>
<p>And / Or:</p>
<p>Read password from stdin if missing in the argument.</p>
<p>Hope you got my point <img src="/plugin_assets/redmine_wiki_extensions/images/smile.png" alt=":)"></p>
<p>Thanks a lot and best regards,</p> Prelude Correlator - Feature #375 (Assigned): Prelude Correlator upper event limithttp://www.prelude-siem.org/issues/3752010-04-06T19:40:57ZJames Chappleheatgod@verizon.net
<p>When a corrleated event such as Eventscan or Eventstorm contains large numbers of events, the Prewikka GUI times out and is unable to display the event details. On several test systems available to me, the threshold seemed to be around 5K events. This was discovered during a Nessus scan of monitored systems, where Nessus is scanning every port. Iptables is logging every blocked port, potentially generating many thousands of events during the window.</p>
<p>The ability to specify an upper limit in the Correlator rules for a given correlated event would be useful to prevent excessive messages in a single event.</p> Prewikka - Feature #260 (New): IDMEF XML View in Prewikkahttp://www.prelude-siem.org/issues/2602007-09-08T18:04:30Z
<p>Hey there,</p>
<p>I would suggest the following feature for prewikka: In the detailed alert view</p>
<p>/?view=alert_summary&origin=alert_listing&messageid=$alert.messageid</p>
<p>there should be the possibility to view this event in pure IDMEF XML, too. This would make it easier to get an IDMEF overview and indepth view, as well as it makes it easier to create rules/filters on IDMEF criteria, i.e. if using the smtp plugin or just some other custom filters</p>