UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2022-06-16T08:36:22ZUNITY 360
Redmine PRELUDE SIEM - Bug #1253 (New): Support on K8s Prelude Siem versionhttp://www.prelude-siem.org/issues/12532022-06-16T08:36:22ZQuentin Maraval
<p>Hello,<br />i am currently working on the "chartization" of Prelude in order to get it running inside Kubernetes cluster.<br />I used this repository <a class="external" href="https://github.com/fpoirotte/docker-prelude-siem">https://github.com/fpoirotte/docker-prelude-siem</a> that does the same work for docker with OSS version of prelude.</p>
<p>I updated the docker image, changed the Os container from Centos to Opensuse leap.<br />I have the project running (not tested the correlator yet), however it still on OSS version and i would like to get it running in SIEM version.</p>
<p>So to achieve this i will need some support from you on this task.</p>
<p>I have a couple questions :<br />- Where can i download the packages for SIEM version for Opensuse ? <br />- How can we proceed for key generation/licence knowing that the helm chart deployment can occurs many times as we are on cloud (delete/reinstall for testing purpose etc..)</p>
<p>Thanks,<br />Quentin</p> Prewikka - Support #1153 (Assigned): Suricata changes the output from version 4http://www.prelude-siem.org/issues/11532019-11-07T18:40:10ZAndrew Goldy
<p>Hello Guys!</p>
<p>Suricata might has changed? the default prelude-alert output, because comparing to the old release 3.x the alert text was the alert name for example "ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)", and now the alert text is swapped to description for example "Potential Corporate Privacy Violation".<br />Moreover comparing to snort its confirmed something was wrong with the alerting output at least in case of prelude in suricata.</p>
<p>Below the real world examples with the same alert from snort and suricata aspects. Both outputs are natively forwarded to prelude. <br />I've contacted suricata for months but still no answer... Is there any workaround to swap the two columns regarding suricata?</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1184/tempsnip.png" alt="" /></p>
<p>Suricata:</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1186/jzff.PNG" alt="" /></p>
<p>Snort:</p>
<p><img src="http://www.prelude-siem.org/attachments/download/1185/ftzfztfztd.PNG" alt="" /></p>
<p>Many thanks! <img src="/plugin_assets/redmine_wiki_extensions/images/smile.png" alt=":)"></p> Prewikka - Support #1031 (Assigned): Authentication errorhttp://www.prelude-siem.org/issues/10312019-01-06T17:29:51ZRobin IRLINGER
<p>Hi,</p>
<p>I've a trouble with Auth in Prewikka. It's impossible to enable [auth loginpassword] in /etc/prewikka/prewikka.conf: "Cannot use auth mode 'loginpassword', please contact your local administrator". (cf. print screen)</p>
<p>Do you have any suggestions ?</p>
<p>Thanks.</p>
<p>Robin</p> Prelude-LML-Rules - Feature #906 (New): CVE-2017-9798 - OptionsBleed - Detectionhttp://www.prelude-siem.org/issues/9062017-09-21T16:05:36ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>In order to detect OptionsBleed, you need this LML rules to be able to do the right correlation</p> Libprelude - Bug #893 (New): libprelude-errors failed compile on hhurd-i386http://www.prelude-siem.org/issues/8932017-06-24T14:23:44ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<pre>
make[6]: Entering directory '/<<PKGBUILDDIR>>/src/libprelude-error'
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-sources.h.in >err-sources.h
LANG="" gawk -f ./mkstrtable.awk -v textidx=3 \
./err-codes.h.in >err-codes.h
LANG="" gawk -f ./mkerrcodes1.awk ./errnos.in >_mkerrcodes.h
gcc -E -P _mkerrcodes.h | grep PRELUDE_ERROR_ | LANG="" gawk -f ./mkerrcodes.awk >mkerrcodes.h
rm _mkerrcodes.h
gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -I. -I. -o mkerrcodes ./mkerrcodes.c
In file included from ./mkerrcodes.c:26:0:
./mkerrcodes.h:3:3: error: expected identifier or '(' before numeric constant
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^~~~
./mkerrcodes.h:3:15: error: expected ')' before '|' token
((0x10 << 26) | ((7) & 0x3fff)) PRELUDE_ERROR_E2BIG
^
./mkerrcodes.c: In function 'main':
./mkerrcodes.c:59:31: error: 'err_table' undeclared (first use in this function)
for (i = 0; i < sizeof (err_table) / sizeof (err_table[0]) - 1; i++)
^~~~~~~~~
./mkerrcodes.c:59:31: note: each undeclared identifier is reported only once for each function it appears in
Makefile:1790: recipe for target 'mkerrcodes' failed
</pre> Libprelude - Bug #887 (New): Timer tests on slow systemhttp://www.prelude-siem.org/issues/8872017-05-14T14:22:27ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On slow system, sometimes, timer tests (tests/prelude-timer.c) work works.</p>
<p>Adding "1" to max_expire in for loop solve this</p>
<pre>
- for ( i = 0; i <= max_expire && timer_alive; i++ ) {
+ for ( i = 0; i <= max_expire + 1 && timer_alive; i++ ) {
</pre> Libprelude - Bug #886 (New): Sometimes, test-lock from libmissing wont workshttp://www.prelude-siem.org/issues/8862017-05-14T14:19:50ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>Same issues in coreutils and other packages : <a class="external" href="http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246">http://pkgs.fedoraproject.org/cgit/rpms/coreutils.git/commit/?id=8d346246</a></p>
<p>Hope that gnulib will update this test</p> Libprelude - Bug #885 (New): Segfault with atfork on arm64, armhf and ppc64elhttp://www.prelude-siem.org/issues/8852017-05-14T14:16:45ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>See <a class="external" href="https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430">https://bugs.launchpad.net/ubuntu/+source/libprelude/+bug/1262430</a></p> Libprelude - Bug #879 (New): M4 for Ruby on Debian 9 not workinghttp://www.prelude-siem.org/issues/8792017-03-27T22:48:17ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>The actual M4 (3.1, m4/am_path_ruby) can't detect ruby on debian 9</p>
<p>Here is an example of patch :</p>
<pre>
--- libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:00:21.227299410 -0500
+++ libprelude-3.1.0/m4/am_path_ruby.m4 2017-02-28 18:01:06.702306372 -0500
@@ -95,7 +95,7 @@
dnl (shared libraries)
AC_CACHE_CHECK([for $am_display_RUBY extension module directory],
[am_cv_ruby_rbexecdir],
- [am_cv_ruby_rbexecdir=`$RUBY -rrbconfig -e "drive = File::PATH_SEPARATOR == ';' ? /\A\w:/ : /\A/; prefix = Regexp.new('\\A' + Regexp.quote(RbConfig::CONFIG[['prefix']])); \\$prefix = RbConfig::CONFIG[['prefix']].sub(drive, ''); \\$sitearchdir = RbConfig::CONFIG[['sitearchdir']].sub(prefix, '\\$(prefix)').sub(drive, ''); print \\$sitearchdir;" 2>/dev/null || echo "${RUBY_EXEC_PREFIX}/local/lib/site_ruby/${RUBY_VERSION}/${RUBY_PLATFORM}"`])
+ [am_cv_ruby_rbexecdir=`$RUBY -r rbconfig -e "print RbConfig::CONFIG[['vendorarchdir']]"`])
AC_SUBST([rbexecdir], [$am_cv_ruby_rbexecdir])
dnl if PKG-CONFIG is available, we use it. Else, we try to dectect RUBY_INCLUDES manually
</pre> Libprelude - Bug #860 (Assigned): Fedora : ruby sitearchdir need to be vendorarchdirhttp://www.prelude-siem.org/issues/8602016-10-31T21:33:18ZThomas ANDREJAKthomas.andrejak@csgroup.eu
<p>On Fedora, sitearchdir is not defined, so ruby "so" file go to /usr/local.</p>
<p>On Fedora it is vendorarchdir</p> Prelude Correlator - Feature #375 (Assigned): Prelude Correlator upper event limithttp://www.prelude-siem.org/issues/3752010-04-06T19:40:57ZJames Chappleheatgod@verizon.net
<p>When a corrleated event such as Eventscan or Eventstorm contains large numbers of events, the Prewikka GUI times out and is unable to display the event details. On several test systems available to me, the threshold seemed to be around 5K events. This was discovered during a Nessus scan of monitored systems, where Nessus is scanning every port. Iptables is logging every blocked port, potentially generating many thousands of events during the window.</p>
<p>The ability to specify an upper limit in the Correlator rules for a given correlated event would be useful to prevent excessive messages in a single event.</p> Prelude-LML - Feature #315 (New): Using Named variables in PCRE rulesethttp://www.prelude-siem.org/issues/3152008-09-13T20:42:09Z
<p>Named Variables in pcre:</p>
<p>This would make for quicker and simpler rules to be created in prelude-lml.</p>
<p>Example from ntsyslog.rules:</p>
<pre>
regex=security\[success\] 528 (.*) Successful Logon: User Name:(?<username>[\w ]+) Domain:(?<domain>.+) Logon ID:\(?<lid>.*\) Logon Type:(?<ltype>\d+) Logon Process:(?<lprocess>\w+) .* Workstation Name:(?<wks>\S+);
classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=528; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
id=1401; \
revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
assessment.impact.severity=low; \
assessment.impact.completion=succeeded; \
assessment.impact.type=user; \
assessment.impact.description=$username successfully logged on on $wks ($domain domain) via $ltype; \
source(0).process.name=$5; \
source(0).node.address(0).category=unknown; \
source(0).node.address(0).address=$wks; \
source(0).node.name=$wks; \
source(0).user.category=os-device; \
source(0).user.user_id(0).type=current-user; \
source(0).user.user_id(0).name=$username; \
target(0).user.user_id(0).type=current-user; \
target(0).user.user_id(0).name=$username; \
additional_data(0).type=integer; \
additional_data(0).meaning=Logon type; \
additional_data(0).data=$ltype; \
additional_data(1).type=string; \
additional_data(1).meaning=Authentication domain; \
additional_data(1).data=$domain; \
last
</pre> Prewikka - Feature #260 (New): IDMEF XML View in Prewikkahttp://www.prelude-siem.org/issues/2602007-09-08T18:04:30Z
<p>Hey there,</p>
<p>I would suggest the following feature for prewikka: In the detailed alert view</p>
<p>/?view=alert_summary&origin=alert_listing&messageid=$alert.messageid</p>
<p>there should be the possibility to view this event in pure IDMEF XML, too. This would make it easier to get an IDMEF overview and indepth view, as well as it makes it easier to create rules/filters on IDMEF criteria, i.e. if using the smtp plugin or just some other custom filters</p> Prewikka - Feature #240 (New): [PATCH] - SSL Client Certificate Authentification modulehttp://www.prelude-siem.org/issues/2402007-06-18T16:58:01Z
<p>Hi</p>
<p>Here is a patch to use a SSL Client certificate to authenticate user. The username should be equal to the user certificate CN (the full DN is too long to be used, login field is limited to 32 char)</p>
Limitations:
<ul>
<li>Currently only tested in a SSL mod_python setup</li>
<li>Need SSLOptions +StdEnvVars</li>
<li>Used with python 2.3</li>
</ul>
<p>In prewikka.conf</p>
<pre>
[auth ssl]
</pre>
<p>And this file in a new directory <em>prewikka/modules/auth/ssl/</em><br /><pre>
# Copyright (C) 2006 [[PreludeIDS]] Technologies. All Rights Reserved.
# Author: Francois Harvey <fharvey+prelude at securiweb dot net>
#
# This file is part of the Prewikka program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
import os
from prewikka import Auth, User, Database
# Use the SSL_CLIENT_S_DN_CN from a SSL x509 Certificate to map the user
class SSLAuth(Auth.Auth):
def getUser(self, request):
if not request._req.subprocess_env['HTTPS']:
raise Auth.AuthError(message=_("SSL Authentication failed: Not in a SSL session."))
user = request._req.subprocess_env['SSL_CLIENT_S_DN_CN']
if not user:
raise Auth.AuthError(message=_("SSL Authentication failed: no user specified (hint: look at the certificate CN)."))
return User.User(self.db, user, self.db.getLanguage(user), User.ALL_PERMISSIONS, self.db.getConfiguration(user))
def load(env, config):
return SSLAuth(env)
</pre></p> Prelude-LML - Feature #238 (New): manpagehttp://www.prelude-siem.org/issues/2382007-06-09T00:32:30Z
<p>Here is a manpage for prelude-lml, mostly taken from --help command line and the wiki. Please review for integration.</p>