Project

General

Profile

Feature #128

Prelude integration within SEC

Added by Yoann VANDOORSELAERE over 13 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

Following the recent discussion about integrating correlation capability
in Prelude using the SEC program, which would currently consist of:

Prelude-Manager(XMLmod) -> SEC(logfile) -> Prelude-LML ->
Prelude-Manager

I thought that we should rather try to get it done right the first time rather than satisfying of the hack described above. I talked with Rob Holland from Inverse Path (Perl coder and Prelude contributor) about integrating directly Prelude support within SEC.

The integration is going to be done in two steps:

1. Integrate Prelude like reporting capability within SEC, so that it can directly report alert to Prelude. This way, the schema above will be changed to:
Prelude-Manager (XMLmod) -> SEC -> Prelude-Manager
2. Implement the ability in SEC to directly match IDMEF message. This will change the schema above to:
Prelude-Manager <-> SEC

We hope that the result of this effort will then be included in the vanilla SEC distribution. Please post any thought or comment about the upcoming Prelude integration within the SEC program here.

sec.patch View - Patch to sec to add reporting directly to prelude (7.34 KB) , 01/29/2006 11:52 PM

History

#1 Updated by over 13 years ago

To try it out:

tigger@fuse ~/sec-2.3.2 $ cat sec.conf
type=single
ptype=regexp
pattern=pid (\d+)
desc=alert.classification.text=eek pid $1!
action=prelude

Not tested anything more complicated than that. Figuring Gene can come up with something to test with.

#2 Updated by over 13 years ago

Does this just use the default profile definition for locating prelude-manager? Is the sensor name "sec"?

#3 Updated by over 13 years ago

The initial run of this looks good. I'll do more in-depth testing in a few days.

#4 Updated by Yoann VANDOORSELAERE over 13 years ago

For about one week now, an important albeit unnoticed correlation effort have been going on. The outcome of this work (in progress, but already working and robust) is available in the Prelude SVN repository SEC module http://svn.prelude-ids.org/trunk/sec.

We are very much looking for people to contribute useful correlation rules at this stage.
More information in the mailing list post.

#5 Updated by over 13 years ago

Hi ya,

I see the following messages in Prewikka

Correlation Alert (0 alert): No firewall drop reported

Invalid analyzerid:messageid pair: 2117355582141255:164354103824

I'm using the latest 'sec' from SVN.

Is this normal?

Regards,

Robin

#6 Updated by over 13 years ago

Robin,
The analyzerid:messageid pair should point to a valid Prelude alert. There may be an error in the way the rule that generates this correlated event is put together, or Prewikka may not be able to find the matching event.
Is there any reason why an event would not make its way into your Prelude database alongside these correlated alerts? Do you possibly have a prelude-manager filter for database commit?

- Ramon

#7 Updated by over 13 years ago

Ramon,

At the moment I don't have any filters for our prelude-manager. When I disable the SEC application, everything works fine. Ofcourse I don't get any Correlation Alerts.

Is there a way to get more output from the Sec application? (Input/Output)

#8 Updated by Yoann VANDOORSELAERE over 13 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Closing this bug since SEC is now deprecated and replaced with the prelude-correlator module.

#9 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to Prelude Correlator

Also available in: Atom PDF