Project

General

Profile

Prelude-Admin Manual

Table of Contents

Presentation

prelude-admin can be used to perform various operation involving agent profile.
Profile are required for a Prelude agent to run and communicate correctly with other agents. A profile include:

  • An unique analyzer identity.
  • A default, template configuration file.
  • A private key, used for certificate request generation, and communication encryption.
  • X509 certificates used for communication with remote agents.

Creating profile

The add command is used to create a new profile. The profile will be created using the permission of the user running the prelude-admin command, unless specific options are provided. The created profile include a failover spool directory, default configuration files, and a private key used for communication encryption.

Note: Private key generation might take a very long time. Information on speeding up the process are available in the Entropy Page.

prelude-admin add my-sensor

Available options

  • --*uid*

    UID or user used to create analyzer profile.

  • --*gid*
    GID or group used to create analyzer profile.

TLS specific options (default defined in the /etc/prelude/default/tls.conf template)

  • --*key-len*
    Profile private key length (default: 1024 bits).

Changing profile permission

The chown command allow to change a profile ownership.

prelude-admin chown my-sensor --uid username --gid 1500

Available options

  • --*uid*
    UID or user used as new profile permission.
  • --*gid*
    GID or group used as new profile permission.

Removing a profile

The del command will delete the specified profile.

prelude-admin del my-agent

Listing profile

The list command allow listing profiles available on the system.

Available options

  • l -*long*
    Print detailed listing (include uid/gid, profile analyzerID).
prelude-admin list -l
Profile             UID   GID   [[AnalyzerID]]       Permission       Issuer [[AnalyzerID]]
-----------------------------------------------------------------------------------
prelude-lml         yoann yoann 383026397799329  idmef:w          2038315305918460
prelude-correlator  yoann yoann 2052969743121519 idmef:rw admin:r 2038315305918460
                                                 idmef:rw         3952006679182968
prelude-manager     yoann yoann 2038315305918460 idmef:r          3952006679182968
                                                 idmef:w admin:rw 522518306647497
                                                 idmef:w          2038315305918460
                                                 idmef:w          1426351250159626
                                                 idmef:w          1489495859346286

Renaming a profile

The rename command can be used to rename a profile.

prelude-admin rename my-agent-old my-agent-new

Profile registration

The register command is used to register the specified analyzer profile to a remote registration server. The analyzer profile will be created if it does not exist.

See the Agents Registration Page for details on registering agents.

prelude-admin register prelude-lml "idmef:w" 192.168.0.1

Available options

--uid=UID             
UID or user used to create analyzer profile.
--gid=GID             
GID or group used to create analyzer profile.
--passwd=PASSWD       
Use provided password instead of prompting it.
--passwd-file=-|FILE    
Read password from file (- for stdin).

TLS specific options (default defined in the /etc/prelude/default/tls.conf template)

  • --*key-len*
    Profile private key length (default: 1024 bits).
  • --*cert-lifetime*=DAYS
    Profile certificate lifetime (default: unlimited).
  • --*ca-cert-lifetime*=DAYS
    Authority certificate lifetime (default: unlimited).

Registration server

The registration-server command launch a registration server for the specified Prelude-Manager profile. The profile will be created if it does not exist. Registered analyzers will be able to communicate with Prelude-Manager instance using this profile.

See the Agents Registration Page for details on registering agents.

prelude-admin registration-server prelude-manager

Available options

--uid=UID             
UID or user used to create analyzer profile.
--gid=GID             
GID or group used to create analyzer profile.
--passwd=PASSWD       
Use provided password instead of prompting it.
--passwd-file=-|FILE    
Read password from file (- for stdin).

TLS specific options (default defined in the /etc/prelude/default/tls.conf template)

  • --*key-len*
    Profile private key length (default: 1024 bits).
  • --*cert-lifetime*=DAYS
    Profile certificate lifetime (default: unlimited).
  • --*ca-cert-lifetime*=DAYS
    Authority certificate lifetime (default: unlimited).

Revoking profile

The revoke command will revoke the analyzer using the given analyzerID from the specified profile. Analyzer using the revoked analyzerID won't be able to communicate with the profile it was revoked from anymore.

prelude-admin revoke prelude-manager 227879253605921

Miscellaneous usage

Sending messages

The send command allow to send the messages contained within a Prelude IDMEF binary file (example: failover file)
to the specified Prelude-Manager address. The specified profile is used for authentication.

prelude-admin send prelude-lml 192.168.0.1 /path/to/file1 /path/to/file2 /path/to/fileN

Available options

--*offset*=OFFSET  
Skip processing until 'offset' events.
--*count*=COUNT    
Process at most 'count' events.

Printing failover messages

Using the print command, you can print the messages within a Prelude IDMEF binary file (example: failover file) to stdout using an human readable format.

prelude-admin print /path/to/file1 /path/to/file2 /path/to/fileN

Available options

--*offset*=OFFSET  
Skip processing until 'offset' events.
--*count*=COUNT    
Process at most 'count' events.