UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2017-09-21T16:38:48ZUNITY 360
Redmine Prelude Correlator rules - Tache #907 (New): CVE-2017-9798 - OptionsBleed - Correlationhttp://www.prelude-siem.org/issues/9072017-09-21T16:38:48ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Options Bleed is a simple OPTIONS request, there is no specific patterns. But, to gather enough leaked piece of information to make a full one, the attacker need to request OPTIONS many time.</p> Prelude-LML-Rules - Feature #906 (New): CVE-2017-9798 - OptionsBleed - Detectionhttp://www.prelude-siem.org/issues/9062017-09-21T16:05:36ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>In order to detect OptionsBleed, you need this LML rules to be able to do the right correlation</p> LibpreludeDB - Bug #898 (New): Add pkg-config filehttp://www.prelude-siem.org/issues/8982017-08-18T20:44:49ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>as libprelude, please add pkg-config file</p> Libprelude - Bug #893 (New): libprelude-errors failed compile on hhurd-i386http://www.prelude-siem.org/issues/8932017-06-24T14:23:44ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<pre>
make[6]: Entering directory '/<<PKGBUILDDIR>>/src/libprelude-error'
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-sources.h.in >err-sources.h
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-codes.h.in >err-codes.h
LANG="" gawk -f ./mkerrcodes1.awk ./errnos.in >_mkerrcodes.h
gcc -E -P _mkerrcodes.h | grep PRELUDE_ERROR_ | LANG="" gawk -f ./mkerrcodes.awk >mkerrcodes.h
rm _mkerrcodes.h
gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -I. -I. -o mkerrcodes ./mkerrcodes.c
In file included from ./mkerrcodes.c:26:0:
./mkerrcodes.h:3:3: error: expected identifier or '(' before numeric constant
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^~~~
./mkerrcodes.h:3:15: error: expected ')' before '|' token
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^
./mkerrcodes.c: In function 'main':
./mkerrcodes.c:59:31: error: 'err_table' undeclared (first use in this function)
for (i = 0; i < sizeof (err_table) / sizeof (err_table[0]) - 1; i++)
^~~~~~~~~
./mkerrcodes.c:59:31: note: each undeclared identifier is reported only once for each function it appears in
Makefile:1790: recipe for target 'mkerrcodes' failed
</pre> Libprelude - Bug #879 (New): M4 for Ruby on Debian 9 not workinghttp://www.prelude-siem.org/issues/8792017-03-27T22:48:17ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>The actual M4 (3.1, m4/am_path_ruby) can't detect ruby on debian 9</p>
<p>Here is an example of patch :</p>
<pre>
--- libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:00:21.227299410 -0500
+++ libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:01:06.702306372 -0500
@@ -95,7 +95,7 @@
dnl (shared libraries)
AC_CACHE_CHECK([for $am_display_RUBY extension module directory],
[am_cv_ruby_rbexecdir],
- [am_cv_ruby_rbexecdir=`$RUBY -rrbconfig -e "drive = File::PATH_SEPARATOR == ';' ? /\A\w:/ : /\A/; prefix = Regexp.new('\\A' + Regexp.quote(RbConfig::CONFIG[['prefix']])); \\$prefix = RbConfig::CONFIG[['prefix']].sub(drive, ''); \\$sitearchdir = RbConfig::CONFIG[['sitearchdir']].sub(prefix, '\\$(prefix)').sub(drive, ''); print \\$sitearchdir;" 2>/dev/null || echo "${RUBY_EXEC_PREFIX}/local/lib/site_ruby/${RUBY_VERSION}/${RUBY_PLATFORM}"`])
+ [am_cv_ruby_rbexecdir=`$RUBY -r rbconfig -e "print RbConfig::CONFIG[['vendorarchdir']]"`])
AC_SUBST([rbexecdir], [$am_cv_ruby_rbexecdir])
dnl if PKG-CONFIG is available, we use it. Else, we try to dectect RUBY_INCLUDES manually
</pre> LibpreludeDB - Bug #867 (New): libpreludedb : missing -lpreludecpp when linkinghttp://www.prelude-siem.org/issues/8672017-01-11T08:24:33ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>With rpmlint, I got this :<br /><pre>
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 typeinfo for Prelude::PreludeError
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::PreludeError::what() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::isNull() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::~IDMEFValue()
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::operator idmef_value*() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::toString[abi:cxx11]() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEF::operator idmef_object*() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::IDMEFValue(idmef_value*)
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::PreludeError::PreludeError()
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 vtable for Prelude::PreludeError
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFValue::getType() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFPath::operator idmef_path*() const
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEF::IDMEF(idmef_object*)
libpreludedb.x86_64: W: undefined-non-weak-symbol /usr/lib64/libpreludedbcpp.so.2.1.0 Prelude::IDMEFCriteria::operator idmef_criteria*() const
</pre></p>
<p>This is because, in bindings/c++/Makefile, the variable "libpreludedbcpp_la_LDFLAGS" is missing "-lpreludecpp"</p>
<p>Also, it seems that libprelude-config never provide -lpreludecpp</p> LibpreludeDB - Bug #866 (New): libpreludedb : manpages warninghttp://www.prelude-siem.org/issues/8662017-01-11T08:22:05ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>When running rpmlint, I got this :<br /><pre>
libpreludedb-devel.x86_64: W: manual-page-warning /usr/share/man/man1/libpreludedb-config.1.gz 23: a special character is not allowed in a name
</pre></p>
<p>Patch :<br /><pre>
--- ./docs/manpages/libpreludedb-config.1 2016-09-15 08:49:14.234000884 +0200
+++ ./docs/manpages/libpreludedb-config.1 2017-01-10 08:22:39.280448484 +0100
@@ -20,7 +20,7 @@
.B \-\-libs
options.
This option must be specified before any
-.B\-\-libs
+.B \-\-libs
or
.B \-\-cflags
options. This
</pre></p> PRELUDE SIEM - Bug #865 (New): make distcheck not working on 32bithttp://www.prelude-siem.org/issues/8652016-12-05T22:33:54ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>make distcheck is not working on 32 bits architecture because of timegm behavior.</p> PRELUDE SIEM - Bug #863 (New): FSF address in libprelude-errorhttp://www.prelude-siem.org/issues/8632016-11-30T23:14:57ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Please update FSF address in libprelude-error</p> LibpreludeDB - Bug #337 (New): Fake result number of deleted records in preludedb-adminhttp://www.prelude-siem.org/issues/3372008-12-08T17:16:54Z
<p>The output of preludedb-admin was:</p>
<p>delete event failed: Lost connection to [[MySQL]] server during query.</p>
<p>Error at transaction 448000. Use --offset 874000 to resume operation.</p>
<p>2152124949 'delete' events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 delete/sec average).</p>
<p>2152124949 events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 events/sec average).</p>
<p>2152124949 is the fake as '--offset 874000' says where it stopped.</p> Prewikka - Feature #260 (New): IDMEF XML View in Prewikkahttp://www.prelude-siem.org/issues/2602007-09-08T18:04:30Z
<p>Hey there,</p>
<p>I would suggest the following feature for prewikka: In the detailed alert view</p>
<p>/?view=alert_summary&origin=alert_listing&messageid=$alert.messageid</p>
<p>there should be the possibility to view this event in pure IDMEF XML, too. This would make it easier to get an IDMEF overview and indepth view, as well as it makes it easier to create rules/filters on IDMEF criteria, i.e. if using the smtp plugin or just some other custom filters</p> Prelude-LML - Feature #238 (New): manpagehttp://www.prelude-siem.org/issues/2382007-06-09T00:32:30Z
<p>Here is a manpage for prelude-lml, mostly taken from --help command line and the wiki. Please review for integration.</p> Prelude-LML - Bug #215 (New): ntsyslog.rules does not detect domain login eventshttp://www.prelude-siem.org/issues/2152007-04-03T17:44:11Z
<p>The ruleset appears to detect only host-based login attempts rather than login attempts against a domain.</p>
<p>event id 675: (bad password)</p>
<p>security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name:mike User ID: %{x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx} Service Name:krbtgt/HQ Pre-Authentication Type:0x2 Failure Code:0x18 Client<br />Address:10.120.120.152</p>
<p>more info: <a class="external" href="http://www.ultimatewindowssecurity.com/events/com298.html">http://www.ultimatewindowssecurity.com/events/com298.html</a></p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre>