UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2022-06-16T08:36:22ZUNITY 360
Redmine PRELUDE SIEM - Bug #1253 (New): Support on K8s Prelude Siem versionhttp://www.prelude-siem.org/issues/12532022-06-16T08:36:22ZQuentin Maraval
<p>Hello,<br />i am currently working on the "chartization" of Prelude in order to get it running inside Kubernetes cluster.<br />I used this repository <a class="external" href="https://github.com/fpoirotte/docker-prelude-siem">https://github.com/fpoirotte/docker-prelude-siem</a> that does the same work for docker with OSS version of prelude.</p>
<p>I updated the docker image, changed the Os container from Centos to Opensuse leap.<br />I have the project running (not tested the correlator yet), however it still on OSS version and i would like to get it running in SIEM version.</p>
<p>So to achieve this i will need some support from you on this task.</p>
<p>I have a couple questions :<br />- Where can i download the packages for SIEM version for Opensuse ? <br />- How can we proceed for key generation/licence knowing that the helm chart deployment can occurs many times as we are on cloud (delete/reinstall for testing purpose etc..)</p>
<p>Thanks,<br />Quentin</p> PRELUDE SIEM - Bug #1211 (New): prelude-admin does not work on Debian after fresh installhttp://www.prelude-siem.org/issues/12112020-06-23T15:32:18ZSebastian K
<p>I am trying to use prelude-admin on a Ubuntu-like system. In particular, I want to register to a server. Unfortunately, this is not possible.</p>
<p>When installing prelude 5.1.0 via sources, it does build successfully, but I get a single failed test during 'make check':</p>
<pre><code class="text syntaxhl"><span class="CodeRay">...
PASS: test-localename
../../test-driver: line 95: 6213 Aborted "$@" > $log_file 2>&1
FAIL: test-rwlock1
PASS: test-lock
...
</span></code></pre>
<p>The command 'prelude-admin' does show the help menu, but adding any argument or command, e.g. 'prelude-admin register' results in a SegFault (similar to another issue: <a class="external" href="https://www.prelude-siem.org/issues/1092">https://www.prelude-siem.org/issues/1092</a>). The log file states "Unexpected outcome 3".</p>
<p>Then I tried installing the binaries (v4.1.0) after removing everything with 'make uninstall' and rebooting the system. Following the docs, I installed it via <br /><pre><code class="text syntaxhl"><span class="CodeRay">apt install prelude-utils
</span></code></pre><br /> Now, I can execute the registration command like this without an SegFault:<br /><pre><code class="text syntaxhl"><span class="CodeRay">prelude-admin register my_sensor_name "idmef:w" <x.x.x.x> --uid 0 --gid 0
</span></code></pre><br />This throws an error stating that<br /><pre><code class="text syntaxhl"><span class="CodeRay">error creating directory /var/spool/prelude/my_sensor_name: No such file or directory.
</span></code></pre></p>
<p>I am root on this system, so it shouldn't be a kind of access issue. Also, the server works just fine.</p>
<p>Can somebody tell me, where these errors come from and how I can fix them?</p>
<p>Thanks in advance,<br />Sebastian</p> PRELUDE SIEM - Bug #1092 (New): prelude-admin Segmentation Fault raspbianhttp://www.prelude-siem.org/issues/10922019-05-06T08:59:05ZMarc-Antoine delannoy
<p>Hello,<br />I am trying to run the libprelude on a raspberry pi to use suricata with the prelude alert format.<br />I download the libprelude-5.0.0.tar.gz and decompress the archive.<br />then:<br /><code>./configure<br />make<br />make install<br />LD_LIBRARY_PATH=/usr/local/lib<br />export LD_LIBRARY_PATH</code></p>
<p>and when i try to use prelude-admin without argument it works and displays the help message.<br />But if for example i try <code>prelude-admin list</code> it returns a segmentation fault.<br />Same for any argument.</p>
<p>Regards</p> PRELUDE SIEM - Bug #1082 (Assigned): Problem to register my IDS (Suricata) on Prelude OSShttp://www.prelude-siem.org/issues/10822019-04-12T08:13:59ZMarc-Antoine delannoy
<p>Hi,<br />I have a problem to register my IDS (Suricata) on Prelude OSS. My IDS is on the same network but in a different CentOs VM. The prelude address is 192.168.0.2 and the IDS address is 192.168.0.3<br />I already installed from source : prelude-manager, prelude lml (not used), prelude-admin and libpreludedb. I configured the /usr/local/etc/prelude/default/client.conf<br /> to change the server-addr=127.0.0.1 to server-addr=192.168.0.2<br />Same for prelude-manager.conf with listen = 192.168.0.2:5553<br />I verify the connection between my IDS and my Prelude with a ping.<br />Then I enter the command line on the prelude machine :<br /> prelude-admin registration-server prelude-manager<br />and on the IDS :</p>
<p>prelude-admin register suricata "idmef:w admin:r" 192.168.0.2 –uid 1000 –gid 1500</p>
<p>I copy the one shot password but get this error message on my IDS :<br />Connecting to registration server (192.168.0.2 :5553)<br />Could not connect to 192.168.0.2 port 5553 : No route to host<br />So I scan my port and the number 5553 remains closed throughout all the process. <br />I may have missed a command line or configuration, so i reread the whole doc but I didn’t found anything about it.</p>
<p>Do you have any suggestions?</p>
<p>Thanks.</p> Prelude-LML - Bug #915 (New): Text spelling issuehttp://www.prelude-siem.org/issues/9152017-10-16T21:51:10ZThomas ANDREJAKthomas.andrejak@csgroup.eu
Two issues :
<ul>
<li>supressed => suppressed</li>
<li>authentification => authentication</li>
</ul> Prelude Correlator rules - Tache #907 (New): CVE-2017-9798 - OptionsBleed - Correlationhttp://www.prelude-siem.org/issues/9072017-09-21T16:38:48ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Options Bleed is a simple OPTIONS request, there is no specific patterns. But, to gather enough leaked piece of information to make a full one, the attacker need to request OPTIONS many time.</p> Prelude-LML - Bug #872 (New): Prelude-LML check not workinghttp://www.prelude-siem.org/issues/8722017-01-28T18:26:52ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Since we move rules to another subproject (prelude-lml-rules), make check is not working. Error in "tests" folder.</p> PRELUDE SIEM - Bug #870 (New): prelude-lml /etc permissionshttp://www.prelude-siem.org/issues/8702017-01-26T08:38:01ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Why in the /etc/prelude-lml directory, the permissions are forced to 700 and 600?</p> PRELUDE SIEM - Bug #865 (New): make distcheck not working on 32bithttp://www.prelude-siem.org/issues/8652016-12-05T22:33:54ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>make distcheck is not working on 32 bits architecture because of timegm behavior.</p> PRELUDE SIEM - Bug #863 (New): FSF address in libprelude-errorhttp://www.prelude-siem.org/issues/8632016-11-30T23:14:57ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Please update FSF address in libprelude-error</p> PRELUDE SIEM - Bug #349 (New): SANCP - problem on installhttp://www.prelude-siem.org/issues/3492009-05-18T09:27:51Zjulien aussibaljulien.aussibal@univ-pau.fr
<p>Hello everybody,</p>
<p>I'm trying to install sancp on my computer for looking my network.</p>
<p>First, the link of the tar.gz is dead on this page (<a class="external" href="https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp">https://dev.prelude-ids.com/wiki/prelude/InstallingAgentThirdpartySancp</a>) .</p>
<p>Secondly, I found a different version on this page : <a class="external" href="http://metre.net/files/">http://metre.net/files/</a><br />but the lastest version doesn't compile with prelude option.</p>
<p>Anybody have a stable version of sancp working with prelude ? Could you indicate how to configure it to log Alert in prelude-manager.</p>
<p>Thanks</p> PRELUDE SIEM - Bug #343 (New): OSSEC-HIDS 1.6.1 always sets assessment.impact.completion = succededhttp://www.prelude-siem.org/issues/3432009-01-25T20:06:12Z
<p>Example: the IDMEF alerts for both of these logs</p>
<pre>
[[WinEvtLog]]: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: SERVER: user@DOMAIN DOMAIN PC$ %{SOMERANDOMUIDHERE} 0x40810010 0x17 10.10.10.10 - {SOMEOTHERUID} -
[[WinEvtLog]]: Security: AUDIT_FAILURE(673): Security: SYSTEM: NT AUTHORITY: SERVER: - 0x2 - 10.10.10.10 0x20 - -
</pre>
<p>have assessment.impact.completion = succeeded</p>
<p>See also: <a class="external" href="http://marc.info/?t=123274084100006&r=1&w=2">http://marc.info/?t=123274084100006&r=1&w=2</a></p> Prelude-LML - Bug #215 (New): ntsyslog.rules does not detect domain login eventshttp://www.prelude-siem.org/issues/2152007-04-03T17:44:11Z
<p>The ruleset appears to detect only host-based login attempts rather than login attempts against a domain.</p>
<p>event id 675: (bad password)</p>
<p>security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name:mike User ID: %{x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx} Service Name:krbtgt/HQ Pre-Authentication Type:0x2 Failure Code:0x18 Client<br />Address:10.120.120.152</p>
<p>more info: <a class="external" href="http://www.ultimatewindowssecurity.com/events/com298.html">http://www.ultimatewindowssecurity.com/events/com298.html</a></p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre>