UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2022-06-16T08:36:22ZUNITY 360
Redmine PRELUDE SIEM - Bug #1253 (New): Support on K8s Prelude Siem versionhttp://www.prelude-siem.org/issues/12532022-06-16T08:36:22ZQuentin Maraval
<p>Hello,<br />i am currently working on the "chartization" of Prelude in order to get it running inside Kubernetes cluster.<br />I used this repository <a class="external" href="https://github.com/fpoirotte/docker-prelude-siem">https://github.com/fpoirotte/docker-prelude-siem</a> that does the same work for docker with OSS version of prelude.</p>
<p>I updated the docker image, changed the Os container from Centos to Opensuse leap.<br />I have the project running (not tested the correlator yet), however it still on OSS version and i would like to get it running in SIEM version.</p>
<p>So to achieve this i will need some support from you on this task.</p>
<p>I have a couple questions :<br />- Where can i download the packages for SIEM version for Opensuse ? <br />- How can we proceed for key generation/licence knowing that the helm chart deployment can occurs many times as we are on cloud (delete/reinstall for testing purpose etc..)</p>
<p>Thanks,<br />Quentin</p> PRELUDE SIEM - Bug #1211 (New): prelude-admin does not work on Debian after fresh installhttp://www.prelude-siem.org/issues/12112020-06-23T15:32:18ZSebastian K
<p>I am trying to use prelude-admin on a Ubuntu-like system. In particular, I want to register to a server. Unfortunately, this is not possible.</p>
<p>When installing prelude 5.1.0 via sources, it does build successfully, but I get a single failed test during 'make check':</p>
<pre><code class="text syntaxhl"><span class="CodeRay">...
PASS: test-localename
../../test-driver: line 95: 6213 Aborted "$@" > $log_file 2>&1
FAIL: test-rwlock1
PASS: test-lock
...
</span></code></pre>
<p>The command 'prelude-admin' does show the help menu, but adding any argument or command, e.g. 'prelude-admin register' results in a SegFault (similar to another issue: <a class="external" href="https://www.prelude-siem.org/issues/1092">https://www.prelude-siem.org/issues/1092</a>). The log file states "Unexpected outcome 3".</p>
<p>Then I tried installing the binaries (v4.1.0) after removing everything with 'make uninstall' and rebooting the system. Following the docs, I installed it via <br /><pre><code class="text syntaxhl"><span class="CodeRay">apt install prelude-utils
</span></code></pre><br /> Now, I can execute the registration command like this without an SegFault:<br /><pre><code class="text syntaxhl"><span class="CodeRay">prelude-admin register my_sensor_name "idmef:w" <x.x.x.x> --uid 0 --gid 0
</span></code></pre><br />This throws an error stating that<br /><pre><code class="text syntaxhl"><span class="CodeRay">error creating directory /var/spool/prelude/my_sensor_name: No such file or directory.
</span></code></pre></p>
<p>I am root on this system, so it shouldn't be a kind of access issue. Also, the server works just fine.</p>
<p>Can somebody tell me, where these errors come from and how I can fix them?</p>
<p>Thanks in advance,<br />Sebastian</p> PRELUDE SIEM - Bug #1134 (Assigned): prewikka install on raspbianhttp://www.prelude-siem.org/issues/11342019-08-01T09:21:33ZMarc-Antoine delannoy
<p>Hello, <br />I'm trying to set up the latest version of prelude OSS on raspbian. With some effort I installed almost everything. <br />However, I have a problem with prewikka whose installation doesn't work. I have installed all the dependencies.<br />But I'm getting some errors when I run this command -> python setup.py install</p>
<pre><code class="text syntaxhl"><span class="CodeRay">root@raspberrypi:/home/prelude/prewikka-5.0.2# python setup.py install
running install
running build
running compile_catalog
error: prewikka/locale/de/LC_MESSAGES/prewikka.po:1560: placeholders are incompatible
compiling catalog prewikka/locale/de/LC_MESSAGES/prewikka.po to prewikka/locale/de/LC_MESSAGES/prewikka.mo
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:47: unknown named placeholder u'value'
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:162: unknown named placeholder u'version'
error: prewikka/locale/ru/LC_MESSAGES/prewikka.po:1593: placeholders are incompatible
compiling catalog prewikka/locale/ru/LC_MESSAGES/prewikka.po to prewikka/locale/ru/LC_MESSAGES/prewikka.mo
error: prewikka/locale/pl/LC_MESSAGES/prewikka.po:1587: placeholders are incompatible
error: prewikka/locale/pl/LC_MESSAGES/prewikka.po:1870: placeholders are incompatible
compiling catalog prewikka/locale/pl/LC_MESSAGES/prewikka.po to prewikka/locale/pl/LC_MESSAGES/prewikka.mo
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:1554: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2126: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2226: placeholders are incompatible
error: prewikka/locale/es/LC_MESSAGES/prewikka.po:2231: placeholders are incompatible
compiling catalog prewikka/locale/es/LC_MESSAGES/prewikka.po to prewikka/locale/es/LC_MESSAGES/prewikka.mo
error: prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po:1546: placeholders are incompatible
error: prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po:2119: placeholders are incompatible
compiling catalog prewikka/locale/pt_BR/LC_MESSAGES/prewikka.po to prewikka/locale/pt_BR/LC_MESSAGES/prewikka.mo
compiling catalog prewikka/locale/fr/LC_MESSAGES/prewikka.po to prewikka/locale/fr/LC_MESSAGES/prewikka.mo
error: prewikka/locale/it/LC_MESSAGES/prewikka.po:43: unknown named placeholder u'value'
error: prewikka/locale/it/LC_MESSAGES/prewikka.po:1550: placeholders are incompatible
compiling catalog prewikka/locale/it/LC_MESSAGES/prewikka.po to prewikka/locale/it/LC_MESSAGES/prewikka.mo
compiling catalog prewikka/locale/en/LC_MESSAGES/prewikka.po to prewikka/locale/en/LC_MESSAGES/prewikka.mo
running build_custom
compiling ['themes/dark.less', 'prewikka/htdocs/css/style.less'] -> prewikka/htdocs/css/themes/dark.css
error: [Errno 2] No such file or directory
</span></code></pre>
<p>there is a problem with languages. The second problem I guess it is: prewikka/htdocs/css/themes/dark.css that is not found.<br />Package installation does not seem possible in version 5 for a debian-based distribution (4 is the last version i found).</p>
<p>Do you have any idea how to solve this?<br />Regards</p> PRELUDE SIEM - Bug #1093 (Assigned): prelude-admin Segmentation Fault raspbianhttp://www.prelude-siem.org/issues/10932019-05-06T12:16:55ZMarc-Antoine delannoy
<p>Hello,<br />I am trying to run the libprelude on a raspberry pi to use suricata with the prelude alert format.<br />I download the libprelude-5.0.0.tar.gz and decompress the archive.<br />then:<br /><code><br />./configure<br />make<br />make install<br />LD_LIBRARY_PATH=/usr/local/lib<br />export LD_LIBRARY_PATH<br /></code><br />and when i try to use prelude-admin without argument it works and displays the help message.<br />But if for example i try prelude-admin list it returns a segmentation fault.<br />Same for any argument.</p>
<p>And if i run make check<br />I have 4 errors.<br />the end of the output is:<br /><pre>
make check-TESTS check-local
make[3]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
make[4]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
../test-driver: line 95: 26741 Segmentation fault "$@" > $log_file 2>&1
FAIL: async-timer
PASS: idmef
../test-driver: line 95: 26789 Aborted "$@" > $log_file 2>&1
FAIL: idmef-criteria
PASS: idmef-message-helper
PASS: idmef-path
PASS: idmef-value
../test-driver: line 95: 26885 Segmentation fault "$@" > $log_file 2>&1
FAIL: prelude-client
PASS: prelude-string
../test-driver: line 95: 26933 Segmentation fault "$@" > $log_file 2>&1
FAIL: prelude-timer
make[5]: Entering directory '/home/suricata/libprelude-5.0.0/tests'
make[5]: Nothing to be done for 'all'.
make[5]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
============================================================================
Testsuite summary for libprelude 5.0.0
============================================================================
# TOTAL: 9
# PASS: 5
# SKIP: 0
# XFAIL: 0
# FAIL: 4
# XPASS: 0
# ERROR: 0
============================================================================
See tests/test-suite.log
============================================================================
Makefile:1881: recipe for target 'test-suite.log' failed
make[4]: *** [test-suite.log] Error 1
make[4]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:1987: recipe for target 'check-TESTS' failed
make[3]: *** [check-TESTS] Error 2
make[3]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:2117: recipe for target 'check-am' failed
make[2]: *** [check-am] Error 2
make[2]: Leaving directory '/home/suricata/libprelude-5.0.0/tests'
Makefile:1669: recipe for target 'check-recursive' failed
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory '/home/suricata/libprelude-5.0.0'
Makefile:1954: recipe for target 'check' failed
make: *** [check] Error 2
</pre></p>
<p>Do you have any idea how to solve this?</p>
<p>Regards</p> PRELUDE SIEM - Bug #1092 (New): prelude-admin Segmentation Fault raspbianhttp://www.prelude-siem.org/issues/10922019-05-06T08:59:05ZMarc-Antoine delannoy
<p>Hello,<br />I am trying to run the libprelude on a raspberry pi to use suricata with the prelude alert format.<br />I download the libprelude-5.0.0.tar.gz and decompress the archive.<br />then:<br /><code>./configure<br />make<br />make install<br />LD_LIBRARY_PATH=/usr/local/lib<br />export LD_LIBRARY_PATH</code></p>
<p>and when i try to use prelude-admin without argument it works and displays the help message.<br />But if for example i try <code>prelude-admin list</code> it returns a segmentation fault.<br />Same for any argument.</p>
<p>Regards</p> PRELUDE SIEM - Bug #1082 (Assigned): Problem to register my IDS (Suricata) on Prelude OSShttp://www.prelude-siem.org/issues/10822019-04-12T08:13:59ZMarc-Antoine delannoy
<p>Hi,<br />I have a problem to register my IDS (Suricata) on Prelude OSS. My IDS is on the same network but in a different CentOs VM. The prelude address is 192.168.0.2 and the IDS address is 192.168.0.3<br />I already installed from source : prelude-manager, prelude lml (not used), prelude-admin and libpreludedb. I configured the /usr/local/etc/prelude/default/client.conf<br /> to change the server-addr=127.0.0.1 to server-addr=192.168.0.2<br />Same for prelude-manager.conf with listen = 192.168.0.2:5553<br />I verify the connection between my IDS and my Prelude with a ping.<br />Then I enter the command line on the prelude machine :<br /> prelude-admin registration-server prelude-manager<br />and on the IDS :</p>
<p>prelude-admin register suricata "idmef:w admin:r" 192.168.0.2 –uid 1000 –gid 1500</p>
<p>I copy the one shot password but get this error message on my IDS :<br />Connecting to registration server (192.168.0.2 :5553)<br />Could not connect to 192.168.0.2 port 5553 : No route to host<br />So I scan my port and the number 5553 remains closed throughout all the process. <br />I may have missed a command line or configuration, so i reread the whole doc but I didn’t found anything about it.</p>
<p>Do you have any suggestions?</p>
<p>Thanks.</p> Prelude-LML - Bug #915 (New): Text spelling issuehttp://www.prelude-siem.org/issues/9152017-10-16T21:51:10ZThomas ANDREJAKthomas.andrejak@csgroup.eu
Two issues :
<ul>
<li>supressed => suppressed</li>
<li>authentification => authentication</li>
</ul> Prelude Correlator rules - Tache #907 (New): CVE-2017-9798 - OptionsBleed - Correlationhttp://www.prelude-siem.org/issues/9072017-09-21T16:38:48ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Options Bleed is a simple OPTIONS request, there is no specific patterns. But, to gather enough leaked piece of information to make a full one, the attacker need to request OPTIONS many time.</p> LibpreludeDB - Bug #898 (New): Add pkg-config filehttp://www.prelude-siem.org/issues/8982017-08-18T20:44:49ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>as libprelude, please add pkg-config file</p> Libprelude - Bug #893 (New): libprelude-errors failed compile on hhurd-i386http://www.prelude-siem.org/issues/8932017-06-24T14:23:44ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<pre>
make[6]: Entering directory '/<<PKGBUILDDIR>>/src/libprelude-error'
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-sources.h.in >err-sources.h
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-codes.h.in >err-codes.h
LANG="" gawk -f ./mkerrcodes1.awk ./errnos.in >_mkerrcodes.h
gcc -E -P _mkerrcodes.h | grep PRELUDE_ERROR_ | LANG="" gawk -f ./mkerrcodes.awk >mkerrcodes.h
rm _mkerrcodes.h
gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -I. -I. -o mkerrcodes ./mkerrcodes.c
In file included from ./mkerrcodes.c:26:0:
./mkerrcodes.h:3:3: error: expected identifier or '(' before numeric constant
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^~~~
./mkerrcodes.h:3:15: error: expected ')' before '|' token
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^
./mkerrcodes.c: In function 'main':
./mkerrcodes.c:59:31: error: 'err_table' undeclared (first use in this function)
for (i = 0; i < sizeof (err_table) / sizeof (err_table[0]) - 1; i++)
^~~~~~~~~
./mkerrcodes.c:59:31: note: each undeclared identifier is reported only once for each function it appears in
Makefile:1790: recipe for target 'mkerrcodes' failed
</pre> Libprelude - Bug #887 (New): Timer tests on slow systemhttp://www.prelude-siem.org/issues/8872017-05-14T14:22:27ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On slow system, sometimes, timer tests (tests/prelude-timer.c) work works.</p>
<p>Adding "1" to max_expire in for loop solve this</p>
<pre>
- for ( i = 0; i <= max_expire && timer_alive; i++ ) {
+ for ( i = 0; i <= max_expire + 1 && timer_alive; i++ ) {
</pre> Libprelude - Bug #886 (New): Sometimes, test-lock from libmissing wont workshttp://www.prelude-siem.org/issues/8862017-05-14T14:19:50ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Same issues in coreutils and other packages : <a class="external" href="http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246">http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246</a></p>
<p>Hope that gnulib will update this test</p> Libprelude - Bug #885 (New): Segfault with atfork on arm64, armhf and ppc64elhttp://www.prelude-siem.org/issues/8852017-05-14T14:16:45ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>See <a class="external" href="https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430">https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430</a></p> Libprelude - Bug #879 (New): M4 for Ruby on Debian 9 not workinghttp://www.prelude-siem.org/issues/8792017-03-27T22:48:17ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>The actual M4 (3.1, m4/am_path_ruby) can't detect ruby on debian 9</p>
<p>Here is an example of patch :</p>
<pre>
--- libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:00:21.227299410 -0500
+++ libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:01:06.702306372 -0500
@@ -95,7 +95,7 @@
dnl (shared libraries)
AC_CACHE_CHECK([for $am_display_RUBY extension module directory],
[am_cv_ruby_rbexecdir],
- [am_cv_ruby_rbexecdir=`$RUBY -rrbconfig -e "drive = File::PATH_SEPARATOR == ';' ? /\A\w:/ : /\A/; prefix = Regexp.new('\\A' + Regexp.quote(RbConfig::CONFIG[['prefix']])); \\$prefix = RbConfig::CONFIG[['prefix']].sub(drive, ''); \\$sitearchdir = RbConfig::CONFIG[['sitearchdir']].sub(prefix, '\\$(prefix)').sub(drive, ''); print \\$sitearchdir;" 2>/dev/null || echo "${RUBY_EXEC_PREFIX}/local/lib/site_ruby/${RUBY_VERSION}/${RUBY_PLATFORM}"`])
+ [am_cv_ruby_rbexecdir=`$RUBY -r rbconfig -e "print RbConfig::CONFIG[['vendorarchdir']]"`])
AC_SUBST([rbexecdir], [$am_cv_ruby_rbexecdir])
dnl if PKG-CONFIG is available, we use it. Else, we try to dectect RUBY_INCLUDES manually
</pre> Prelude Manager - Bug #878 (New): prelude-manager and Systemdhttp://www.prelude-siem.org/issues/8782017-02-27T22:38:08ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>prelude-manager run dir is /var/run/prelude-manager</p>
<p>With systemd, /var/run move to /run</p>