Prelude integration within SEC
Following the recent discussion about integrating correlation capability
in Prelude using the SEC program, which would currently consist of:
Prelude-Manager(XMLmod) -> SEC(logfile) -> Prelude-LML -> Prelude-Manager
I thought that we should rather try to get it done right the first time rather than satisfying of the hack described above. I talked with Rob Holland from Inverse Path (Perl coder and Prelude contributor) about integrating directly Prelude support within SEC.
The integration is going to be done in two steps:
1. Integrate Prelude like reporting capability within SEC, so that it can directly report alert to Prelude. This way, the schema above will be changed to:
Prelude-Manager (XMLmod) -> SEC -> Prelude-Manager2. Implement the ability in SEC to directly match IDMEF message. This will change the schema above to:
Prelude-Manager <-> SEC
We hope that the result of this effort will then be included in the vanilla SEC distribution. Please post any thought or comment about the upcoming Prelude integration within the SEC program here.
#4 Updated by Yoann VANDOORSELAERE over 16 years ago
For about one week now, an important albeit unnoticed correlation effort have been going on. The outcome of this work (in progress, but already working and robust) is available in the Prelude SVN repository SEC module http://svn.prelude-ids.org/trunk/sec.
We are very much looking for people to contribute useful correlation rules at this stage.
More information in the mailing list post.
#6 Updated by over 16 years ago
The analyzerid:messageid pair should point to a valid Prelude alert. There may be an error in the way the rule that generates this correlated event is put together, or Prewikka may not be able to find the matching event.
Is there any reason why an event would not make its way into your Prelude database alongside these correlated alerts? Do you possibly have a prelude-manager filter for database commit?