UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2016-12-05T22:33:54ZUNITY 360
Redmine PRELUDE SIEM - Bug #865 (New): make distcheck not working on 32bithttp://www.prelude-siem.org/issues/8652016-12-05T22:33:54ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>make distcheck is not working on 32 bits architecture because of timegm behavior.</p> PRELUDE SIEM - Bug #863 (New): FSF address in libprelude-errorhttp://www.prelude-siem.org/issues/8632016-11-30T23:14:57ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Please update FSF address in libprelude-error</p> Libprelude - Bug #860 (Assigned): Fedora : ruby sitearchdir need to be vendorarchdirhttp://www.prelude-siem.org/issues/8602016-10-31T21:33:18ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On Fedora, sitearchdir is not defined, so ruby "so" file go to /usr/local.</p>
<p>On Fedora it is vendorarchdir</p> LibpreludeDB - Bug #392 (Assigned): Potential security risc in preludedb-admin?http://www.prelude-siem.org/issues/3922011-01-15T15:37:50ZPaul Buetowprelude@mx.buetow.org
<p>Hi!</p>
<p>I wanted to ask a question regarding preludedb-admin.</p>
<p>I am using 0.9.14.1-2 (Debian GNU/Linux Lenny). There is no way not to<br />define the database password (e.g. mysql password) NOT in the command<br />line argument. The password shows up in plain text in the system<br />process list while using preludedb-admin.</p>
<p>It should be possible to "pipe" the arguments to preludedb-admin</p>
<p>The current way:</p>
<p>preludedb-admin delete alert "type=mysql name=prelude user=prelude<br />pass=prelude" --criteria "alert.create_time < $DATE"</p>
<p>"Better way":</p>
<p>some-script-generating-arguments | preludedb-admin</p>
<p>(Alternatively just pipe the "type=mysql name=prelude user=prelude" <br />part)</p>
<p>And / Or:</p>
<p>preludedb-admin --args filename</p>
<p>(Alternatively just read the "type=mysql name=prelude user=prelude" <br />part from file)</p>
<p>And / Or:</p>
<p>Read password from an environment variable:</p>
<p>#/bin/sh</p>
<p>export PRELUDE_PASS=prelude<br />exec preludedb-admin delete alert "type=mysql name=prelude<br />user=prelude" --criteria "alert.create_time < $DATE"</p>
<p>And / Or:</p>
<p>Read password from stdin if missing in the argument.</p>
<p>Hope you got my point <img src="/plugin_assets/redmine_wiki_extensions/images/smile.png" alt=":)"></p>
<p>Thanks a lot and best regards,</p> Prelude Correlator - Feature #375 (Assigned): Prelude Correlator upper event limithttp://www.prelude-siem.org/issues/3752010-04-06T19:40:57ZJames Chappleheatgod@verizon.net
<p>When a corrleated event such as Eventscan or Eventstorm contains large numbers of events, the Prewikka GUI times out and is unable to display the event details. On several test systems available to me, the threshold seemed to be around 5K events. This was discovered during a Nessus scan of monitored systems, where Nessus is scanning every port. Iptables is logging every blocked port, potentially generating many thousands of events during the window.</p>
<p>The ability to specify an upper limit in the Correlator rules for a given correlated event would be useful to prevent excessive messages in a single event.</p> PRELUDE SIEM - Bug #349 (New): SANCP - problem on installhttp://www.prelude-siem.org/issues/3492009-05-18T09:27:51Zjulien aussibaljulien.aussibal@univ-pau.fr
<p>Hello everybody,</p>
<p>I'm trying to install sancp on my computer for looking my network.</p>
<p>First, the link of the tar.gz is dead on this page (<a class="external" href="https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp">https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp</a>) .</p>
<p>Secondly, I found a different version on this page : <a class="external" href="http://metre.net/files/">http://metre.net/files/</a><br />but the lastest version doesn't compile with prelude option.</p>
<p>Anybody have a stable version of sancp working with prelude ? Could you indicate how to configure it to log Alert in prelude-manager.</p>
<p>Thanks</p> PRELUDE SIEM - Bug #343 (New): OSSEC-HIDS 1.6.1 always sets assessment.impact.completion = succededhttp://www.prelude-siem.org/issues/3432009-01-25T20:06:12Z
<p>Example: the IDMEF alerts for both of these logs</p>
<pre>
[[WinEvtLog]]: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: SERVER: user@DOMAIN DOMAIN PC$ %{SOMERANDOMUIDHERE} 0x40810010 0x17 10.10.10.10 - {SOMEOTHERUID} -
[[WinEvtLog]]: Security: AUDIT_FAILURE(673): Security: SYSTEM: NT AUTHORITY: SERVER: - 0x2 - 10.10.10.10 0x20 - -
</pre>
<p>have assessment.impact.completion = succeeded</p>
<p>See also: <a class="external" href="http://marc.info/?t=123274084100006&r=1&w=2">http://marc.info/?t=123274084100006&r=1&w=2</a></p> LibpreludeDB - Bug #337 (New): Fake result number of deleted records in preludedb-adminhttp://www.prelude-siem.org/issues/3372008-12-08T17:16:54Z
<p>The output of preludedb-admin was:</p>
<p>delete event failed: Lost connection to [[MySQL]] server during query.</p>
<p>Error at transaction 448000. Use --offset 874000 to resume operation.</p>
<p>2152124949 'delete' events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 delete/sec average).</p>
<p>2152124949 events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 events/sec average).</p>
<p>2152124949 is the fake as '--offset 874000' says where it stopped.</p> Prelude-LML - Feature #315 (New): Using Named variables in PCRE rulesethttp://www.prelude-siem.org/issues/3152008-09-13T20:42:09Z
<p>Named Variables in pcre:</p>
<p>This would make for quicker and simpler rules to be created in prelude-lml.</p>
<p>Example from ntsyslog.rules:</p>
<pre>
regex=security\[success\] 528 (.*) Successful Logon: User Name:(?<username>[\w ]+) Domain:(?<domain>.+) Logon ID:\(?<lid>.*\) Logon Type:(?<ltype>\d+) Logon Process:(?<lprocess>\w+) .* Workstation Name:(?<wks>\S+);
classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=528; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
id=1401; \
revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
assessment.impact.severity=low; \
assessment.impact.completion=succeeded; \
assessment.impact.type=user; \
assessment.impact.description=$username successfully logged on on $wks ($domain domain) via $ltype; \
source(0).process.name=$5; \
source(0).node.address(0).category=unknown; \
source(0).node.address(0).address=$wks; \
source(0).node.name=$wks; \
source(0).user.category=os-device; \
source(0).user.user_id(0).type=current-user; \
source(0).user.user_id(0).name=$username; \
target(0).user.user_id(0).type=current-user; \
target(0).user.user_id(0).name=$username; \
additional_data(0).type=integer; \
additional_data(0).meaning=Logon type; \
additional_data(0).data=$ltype; \
additional_data(1).type=string; \
additional_data(1).meaning=Authentication domain; \
additional_data(1).data=$domain; \
last
</pre> Prewikka - Feature #260 (New): IDMEF XML View in Prewikkahttp://www.prelude-siem.org/issues/2602007-09-08T18:04:30Z
<p>Hey there,</p>
<p>I would suggest the following feature for prewikka: In the detailed alert view</p>
<p>/?view=alert_summary&origin=alert_listing&messageid=$alert.messageid</p>
<p>there should be the possibility to view this event in pure IDMEF XML, too. This would make it easier to get an IDMEF overview and indepth view, as well as it makes it easier to create rules/filters on IDMEF criteria, i.e. if using the smtp plugin or just some other custom filters</p> Prewikka - Feature #240 (New): [PATCH] - SSL Client Certificate Authentification modulehttp://www.prelude-siem.org/issues/2402007-06-18T16:58:01Z
<p>Hi</p>
<p>Here is a patch to use a SSL Client certificate to authenticate user. The username should be equal to the user certificate CN (the full DN is too long to be used, login field is limited to 32 char)</p>
Limitations:
<ul>
<li>Currently only tested in a SSL mod_python setup</li>
<li>Need SSLOptions +StdEnvVars</li>
<li>Used with python 2.3</li>
</ul>
<p>In prewikka.conf</p>
<pre>
[auth ssl]
</pre>
<p>And this file in a new directory <em>prewikka/modules/auth/ssl/</em><br /><pre>
# Copyright (C) 2006 [[PreludeIDS]] Technologies. All Rights Reserved.
# Author: Francois Harvey <fharvey+prelude at securiweb dot net>
#
# This file is part of the Prewikka program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
import os
from prewikka import Auth, User, Database
# Use the SSL_CLIENT_S_DN_CN from a SSL x509 Certificate to map the user
class SSLAuth(Auth.Auth):
def getUser(self, request):
if not request._req.subprocess_env['HTTPS']:
raise Auth.AuthError(message=_("SSL Authentication failed: Not in a SSL session."))
user = request._req.subprocess_env['SSL_CLIENT_S_DN_CN']
if not user:
raise Auth.AuthError(message=_("SSL Authentication failed: no user specified (hint: look at the certificate CN)."))
return User.User(self.db, user, self.db.getLanguage(user), User.ALL_PERMISSIONS, self.db.getConfiguration(user))
def load(env, config):
return SSLAuth(env)
</pre></p> Prelude-LML - Feature #238 (New): manpagehttp://www.prelude-siem.org/issues/2382007-06-09T00:32:30Z
<p>Here is a manpage for prelude-lml, mostly taken from --help command line and the wiki. Please review for integration.</p> Prelude-LML - Bug #215 (New): ntsyslog.rules does not detect domain login eventshttp://www.prelude-siem.org/issues/2152007-04-03T17:44:11Z
<p>The ruleset appears to detect only host-based login attempts rather than login attempts against a domain.</p>
<p>event id 675: (bad password)</p>
<p>security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name:mike User ID: %{x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx} Service Name:krbtgt/HQ Pre-Authentication Type:0x2 Failure Code:0x18 Client<br />Address:10.120.120.152</p>
<p>more info: <a class="external" href="http://www.ultimatewindowssecurity.com/events/com298.html">http://www.ultimatewindowssecurity.com/events/com298.html</a></p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre>