Project

General

Profile

Developing a Sensor Quickly

Table of Contents

This page explains how to develop a sensor from scratch in C in 10 minutes of time.

If you want more documentation on sensor development, please refer to the Building a Sensor Page.

Source code

Note: this example use an improved API available from libprelude 0.9.19. If you are using an earlier libprelude version, please have a look at the DevelAgentQuicklyOld page.


#include <libprelude/prelude.h>

#define ANALYZER_NAME "simple-analyzer" 

int main(int argc, char **argv)
{ 
    int ret;

    prelude_client_t *client;
    idmef_message_t *idmef;

    /* Prelude init */
    ret = prelude_init(&argc, argv);
    if ( ret < 0 ) {
        prelude_perror(ret, "unable to initialize the prelude library");
        return -1;
    }

    ret = prelude_client_new(&client, ANALYZER_NAME);
    if ( ! client ) {
        prelude_perror(ret, "Unable to create a prelude client object");
        return -1;
    }

    ret = prelude_client_start(client);
    if ( ret < 0 ) {
        prelude_perror(ret, "Unable to start prelude client");
        prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
        return -1;
    }

    /* Idmef init */
    ret = idmef_message_new(&idmef);
    if ( ret < 0 ) {
        prelude_perror(ret, "Unable to create the IDMEF message");
        prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
        return -1;
    }

    /* 
         * Fill IDMEF message(note that error checking should ideally be performed on production code.
         */
        idmef_message_set_string(idmef, "alert.assessment.impact.description", "As you can see, this description is useless, because it is describing an event that isn't one!");
        idmef_message_set_string(idmef, "alert.assessment.impact.severity", "info");
        idmef_message_set_string(idmef, "alert.assessment.impact.completion", "succeeded");
        idmef_message_set_string(idmef, "alert.classification.text", "This alert was sent from the simplest analyzer ever");

        idmef_message_set_string(idmef, "alert.source(0).user(1)", "L'homme araignee");

        idmef_message_set_string(idmef, "alert.additional_data(0).type", "string");
        idmef_message_set_string(idmef, "alert.additional_data(0).meaning", "Signature ID");
        idmef_message_set_string(idmef, "alert.additional_data(0).data", "1");

    prelude_client_send_idmef(client, idmef);
    idmef_message_destroy(idmef);

    prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);

    return 0;
}

Makefile

CC=gcc
CFLAGS=$(shell libprelude-config --cflags)
LDFLAGS=$(shell libprelude-config --libs)

all: prelude-simplest-sensor.c
        $(CC) prelude-simplest-sensor.c -o prelude-simplest-sensor $(CFLAGS) $(LDFLAGS)

Registration

If prelude manager is on localhost, run:

prelude-admin register simple-analyzer "idmef:w" localhost --uid 1000 --gid 1000

and in an other terminal:

prelude-admin registration-server prelude-manager

Follow instructions, and your sensor is will be registered.

See the resulf of your alert

  • When you fire up prewikka, you see a line containing what we specified as classification.text:
  • When clicking on this alert, you can see a detailed view of your alert:

Enjoy!

alert-detail.png.png View (46.1 KB) Thomas ANDREJAK, 10/13/2016 05:52 PM

alert-prewikka.png.png View (3.56 KB) Thomas ANDREJAK, 10/13/2016 05:52 PM