UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2020-06-23T15:32:18ZUNITY 360
Redmine PRELUDE SIEM - Bug #1211 (New): prelude-admin does not work on Debian after fresh installhttp://www.prelude-siem.org/issues/12112020-06-23T15:32:18ZSebastian K
<p>I am trying to use prelude-admin on a Ubuntu-like system. In particular, I want to register to a server. Unfortunately, this is not possible.</p>
<p>When installing prelude 5.1.0 via sources, it does build successfully, but I get a single failed test during 'make check':</p>
<pre><code class="text syntaxhl"><span class="CodeRay">...
PASS: test-localename
../../test-driver: line 95: 6213 Aborted "$@" > $log_file 2>&1
FAIL: test-rwlock1
PASS: test-lock
...
</span></code></pre>
<p>The command 'prelude-admin' does show the help menu, but adding any argument or command, e.g. 'prelude-admin register' results in a SegFault (similar to another issue: <a class="external" href="https://www.prelude-siem.org/issues/1092">https://www.prelude-siem.org/issues/1092</a>). The log file states "Unexpected outcome 3".</p>
<p>Then I tried installing the binaries (v4.1.0) after removing everything with 'make uninstall' and rebooting the system. Following the docs, I installed it via <br /><pre><code class="text syntaxhl"><span class="CodeRay">apt install prelude-utils
</span></code></pre><br /> Now, I can execute the registration command like this without an SegFault:<br /><pre><code class="text syntaxhl"><span class="CodeRay">prelude-admin register my_sensor_name "idmef:w" <x.x.x.x> --uid 0 --gid 0
</span></code></pre><br />This throws an error stating that<br /><pre><code class="text syntaxhl"><span class="CodeRay">error creating directory /var/spool/prelude/my_sensor_name: No such file or directory.
</span></code></pre></p>
<p>I am root on this system, so it shouldn't be a kind of access issue. Also, the server works just fine.</p>
<p>Can somebody tell me, where these errors come from and how I can fix them?</p>
<p>Thanks in advance,<br />Sebastian</p> PRELUDE SIEM - Bug #1092 (New): prelude-admin Segmentation Fault raspbianhttp://www.prelude-siem.org/issues/10922019-05-06T08:59:05ZMarc-Antoine delannoy
<p>Hello,<br />I am trying to run the libprelude on a raspberry pi to use suricata with the prelude alert format.<br />I download the libprelude-5.0.0.tar.gz and decompress the archive.<br />then:<br /><code>./configure<br />make<br />make install<br />LD_LIBRARY_PATH=/usr/local/lib<br />export LD_LIBRARY_PATH</code></p>
<p>and when i try to use prelude-admin without argument it works and displays the help message.<br />But if for example i try <code>prelude-admin list</code> it returns a segmentation fault.<br />Same for any argument.</p>
<p>Regards</p> Libprelude - Bug #887 (New): Timer tests on slow systemhttp://www.prelude-siem.org/issues/8872017-05-14T14:22:27ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On slow system, sometimes, timer tests (tests/prelude-timer.c) work works.</p>
<p>Adding "1" to max_expire in for loop solve this</p>
<pre>
- for ( i = 0; i <= max_expire && timer_alive; i++ ) {
+ for ( i = 0; i <= max_expire + 1 && timer_alive; i++ ) {
</pre> Libprelude - Bug #886 (New): Sometimes, test-lock from libmissing wont workshttp://www.prelude-siem.org/issues/8862017-05-14T14:19:50ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Same issues in coreutils and other packages : <a class="external" href="http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246">http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246</a></p>
<p>Hope that gnulib will update this test</p> Libprelude - Bug #885 (New): Segfault with atfork on arm64, armhf and ppc64elhttp://www.prelude-siem.org/issues/8852017-05-14T14:16:45ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>See <a class="external" href="https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430">https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430</a></p> Prelude Manager - Bug #878 (New): prelude-manager and Systemdhttp://www.prelude-siem.org/issues/8782017-02-27T22:38:08ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>prelude-manager run dir is /var/run/prelude-manager</p>
<p>With systemd, /var/run move to /run</p> Prelude-LML - Bug #872 (New): Prelude-LML check not workinghttp://www.prelude-siem.org/issues/8722017-01-28T18:26:52ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Since we move rules to another subproject (prelude-lml-rules), make check is not working. Error in "tests" folder.</p> PRELUDE SIEM - Bug #863 (New): FSF address in libprelude-errorhttp://www.prelude-siem.org/issues/8632016-11-30T23:14:57ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Please update FSF address in libprelude-error</p> PRELUDE SIEM - Bug #349 (New): SANCP - problem on installhttp://www.prelude-siem.org/issues/3492009-05-18T09:27:51Zjulien aussibaljulien.aussibal@univ-pau.fr
<p>Hello everybody,</p>
<p>I'm trying to install sancp on my computer for looking my network.</p>
<p>First, the link of the tar.gz is dead on this page (<a class="external" href="https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp">https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp</a>) .</p>
<p>Secondly, I found a different version on this page : <a class="external" href="http://metre.net/files/">http://metre.net/files/</a><br />but the lastest version doesn't compile with prelude option.</p>
<p>Anybody have a stable version of sancp working with prelude ? Could you indicate how to configure it to log Alert in prelude-manager.</p>
<p>Thanks</p> PRELUDE SIEM - Bug #343 (New): OSSEC-HIDS 1.6.1 always sets assessment.impact.completion = succededhttp://www.prelude-siem.org/issues/3432009-01-25T20:06:12Z
<p>Example: the IDMEF alerts for both of these logs</p>
<pre>
[[WinEvtLog]]: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: SERVER: user@DOMAIN DOMAIN PC$ %{SOMERANDOMUIDHERE} 0x40810010 0x17 10.10.10.10 - {SOMEOTHERUID} -
[[WinEvtLog]]: Security: AUDIT_FAILURE(673): Security: SYSTEM: NT AUTHORITY: SERVER: - 0x2 - 10.10.10.10 0x20 - -
</pre>
<p>have assessment.impact.completion = succeeded</p>
<p>See also: <a class="external" href="http://marc.info/?t=123274084100006&r=1&w=2">http://marc.info/?t=123274084100006&r=1&w=2</a></p> LibpreludeDB - Bug #337 (New): Fake result number of deleted records in preludedb-adminhttp://www.prelude-siem.org/issues/3372008-12-08T17:16:54Z
<p>The output of preludedb-admin was:</p>
<p>delete event failed: Lost connection to [[MySQL]] server during query.</p>
<p>Error at transaction 448000. Use --offset 874000 to resume operation.</p>
<p>2152124949 'delete' events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 delete/sec average).</p>
<p>2152124949 events processed in 2783.401760 seconds (0.000001 seconds/events - 773199.535880 events/sec average).</p>
<p>2152124949 is the fake as '--offset 874000' says where it stopped.</p> Prelude-LML - Feature #315 (New): Using Named variables in PCRE rulesethttp://www.prelude-siem.org/issues/3152008-09-13T20:42:09Z
<p>Named Variables in pcre:</p>
<p>This would make for quicker and simpler rules to be created in prelude-lml.</p>
<p>Example from ntsyslog.rules:</p>
<pre>
regex=security\[success\] 528 (.*) Successful Logon: User Name:(?<username>[\w ]+) Domain:(?<domain>.+) Logon ID:\(?<lid>.*\) Logon Type:(?<ltype>\d+) Logon Process:(?<lprocess>\w+) .* Workstation Name:(?<wks>\S+);
classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=528; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
id=1401; \
revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
assessment.impact.severity=low; \
assessment.impact.completion=succeeded; \
assessment.impact.type=user; \
assessment.impact.description=$username successfully logged on on $wks ($domain domain) via $ltype; \
source(0).process.name=$5; \
source(0).node.address(0).category=unknown; \
source(0).node.address(0).address=$wks; \
source(0).node.name=$wks; \
source(0).user.category=os-device; \
source(0).user.user_id(0).type=current-user; \
source(0).user.user_id(0).name=$username; \
target(0).user.user_id(0).type=current-user; \
target(0).user.user_id(0).name=$username; \
additional_data(0).type=integer; \
additional_data(0).meaning=Logon type; \
additional_data(0).data=$ltype; \
additional_data(1).type=string; \
additional_data(1).meaning=Authentication domain; \
additional_data(1).data=$domain; \
last
</pre> Prewikka - Feature #240 (New): [PATCH] - SSL Client Certificate Authentification modulehttp://www.prelude-siem.org/issues/2402007-06-18T16:58:01Z
<p>Hi</p>
<p>Here is a patch to use a SSL Client certificate to authenticate user. The username should be equal to the user certificate CN (the full DN is too long to be used, login field is limited to 32 char)</p>
Limitations:
<ul>
<li>Currently only tested in a SSL mod_python setup</li>
<li>Need SSLOptions +StdEnvVars</li>
<li>Used with python 2.3</li>
</ul>
<p>In prewikka.conf</p>
<pre>
[auth ssl]
</pre>
<p>And this file in a new directory <em>prewikka/modules/auth/ssl/</em><br /><pre>
# Copyright (C) 2006 [[PreludeIDS]] Technologies. All Rights Reserved.
# Author: Francois Harvey <fharvey+prelude at securiweb dot net>
#
# This file is part of the Prewikka program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
import os
from prewikka import Auth, User, Database
# Use the SSL_CLIENT_S_DN_CN from a SSL x509 Certificate to map the user
class SSLAuth(Auth.Auth):
def getUser(self, request):
if not request._req.subprocess_env['HTTPS']:
raise Auth.AuthError(message=_("SSL Authentication failed: Not in a SSL session."))
user = request._req.subprocess_env['SSL_CLIENT_S_DN_CN']
if not user:
raise Auth.AuthError(message=_("SSL Authentication failed: no user specified (hint: look at the certificate CN)."))
return User.User(self.db, user, self.db.getLanguage(user), User.ALL_PERMISSIONS, self.db.getConfiguration(user))
def load(env, config):
return SSLAuth(env)
</pre></p> Prelude-LML - Feature #238 (New): manpagehttp://www.prelude-siem.org/issues/2382007-06-09T00:32:30Z
<p>Here is a manpage for prelude-lml, mostly taken from --help command line and the wiki. Please review for integration.</p> Prelude-LML - Bug #215 (New): ntsyslog.rules does not detect domain login eventshttp://www.prelude-siem.org/issues/2152007-04-03T17:44:11Z
<p>The ruleset appears to detect only host-based login attempts rather than login attempts against a domain.</p>
<p>event id 675: (bad password)</p>
<p>security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name:mike User ID: %{x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx} Service Name:krbtgt/HQ Pre-Authentication Type:0x2 Failure Code:0x18 Client<br />Address:10.120.120.152</p>
<p>more info: <a class="external" href="http://www.ultimatewindowssecurity.com/events/com298.html">http://www.ultimatewindowssecurity.com/events/com298.html</a></p>