Prelude Agent Contribution program¶

Object¶

The Prelude team is currently launching a campaign for the development of new security agents that "speak" IDMEF, on the occasion of the
adoption of IDMEF and IODEF by the French "General Interoperability Framework" (RGI) :

• IDMEF and IODEF in General Interoperability Framework v2 (French)
• General Interoperability Framework (French)

This campaign aims to encourage new software to be "IDMEF compatible" through Prelude. This page explains how to participate to this campaign.

Quick getting started :

• BASIC Agent
• EXPERT Agent

What is a Prelude agent ?¶

Any program/device logging potential security events can be a Prelude agent.

We distinguish between two types of Prelude agents.

• BASIC AGENT : The agent is producing log files and Prelude LML selects and normalize some of these logs into IDMEF Alerts to send them to the Prelude manager
• EXPERT AGENT : The agent is linked against the LibPrelude library with one of it's bindings and is generating and sending alerts to Prelude directly

Nota: A "security event" can be as simple as "Someone authenticate successfully on my software" unless your software has absolutely no security role, no sensible data, etc.

Example of existing Prelude agents :

• BASIC : OpenLDAP, Postgres, Apache, Cisco Router, selinux, ssh, etc.
• EXPERT : NIDS (Snort, Suricata), HIDS (Samhain, OSSEC), Auditd, Pam, etc.

Should I have the copyright on the agent ?¶

No if the software is open-source. This is the magic of open-source.

For BASIC agent you just have to have access to the log format, for EXPERT agent you can develop the connexion and propose it to the original software community (this is the way the Prelude Team is working)

For proprietary software, the BASIC agent is the same as open-source, for EXPERT agent you need to have access to the software code and contact Prelude to have access to a proprietary version of LibPrelude.

Where can I find informations about IDMEF ?¶

Please visit :

• The SECEF (SECurity Exchange Format) website : http://www.secef.net/
• The SECEF Redmine, with few tutorials : http://redmine.secef.net/
• The SECEF IDMEF RFC Browser : http://www.secef.net/idmef_parser/IDMEF/

What are the constraints ?¶

No constraints for basic agent.

To be an expert agent, your program's licence must be compatible with the GPLv2 licence

Nota : For proprietary softwares, please contact the prelude team : contact.prelude@c-s.fr

What is the difference between Basic and Expert Agent ?¶

Basic : Prelude Log Parser reads your log files, selects the "important" event, transform them in IDMEF and send them to Prelude manager¶

Advantages :

• No real coding
• No linking with LibPrelude
• Writting a parser file is quite easy (specially with Prelude Team help)

Inconvenients :

• IDMEF can contain only information from the log
• Heartbeats can't be sent so the agent can't be monitored in the manager

Expert : The software is linked to LibPrelude and can use the IDMEF API to connect to the manager and send IDMEF object¶

Advantages :

• The agent is fully connected to the manager through a secured channel (SSL),
• Heartbeats can be sent through this channel and the agent can be monitored in the manager GUI
• It is sometime possible to send more information than what is contained in the log
• No need for Prelude LML in the middle

Inconvenients

• LibPrelude must be linked to the software
• The software must be GPL V2 compliant
• There is some coding to be done

Nota: You can start with basic level and move to expert later

Shall I send all my logs through IDMEF ?¶

No !

That's the tricky part.

Only security relevant logs should be transformed to IDMEF. The difference between "normal logs" and "IDMEF logs" is not allways easy to fix. It depends on many factors starting by the nature of your program. The best thing to do about that is to ask in the Prelude Dev Forum and we will help you decide what should be sent as IDMEF alerts.

Where should I start ?¶

If you want to develop an agent and your program is an open-source software, the best first step is to contact the prelude team through our Prelude Dev Forum so we can advice you on the relevancy of your choice, what best level would be (basic or expert) and how we can help you.

You can also install Prelude OSS and :

• Look how we work with famous software as BASIC agents like OpenLDAP, Apache, etc.
• Try to connect an EXPERT agent like Suricata to your Prelude installation
• You can also take a look at IDMEF implementation in Prelude compliants software like Suricata for example (the suricata agent is coded in C but other API are availables)

Some questions you should think about¶

What does your software do ?¶

• Is it a security software ?
• Is is "not" a security software but still producing few security informations ? Most of the software produce some security information like authentification logs for example.

What kind of security information is produced (in your logs)¶

Examples :

• authentication failed
• Authentication successfull
• Right granting
• Attempt to access to a forbiden ressource
• etc.

What is the format of those informations ?¶

Examples :

• syslog logs
• xml logs
• IDMEF files (some do !)
• specific log format (do you have documentation on this format ?)

Example of logs¶

Try to produce few examples of logs with what you think should be considered as security events and post it in the forum.

Should I go for BASIC or EXPERT ?¶

BASIC is good for nearly all sofware.

EXPERT should be more dedicated to software "specialised" in security.

A simple rule of the thumb is : The more your software generates "security related events" the more it should be an EXPERT agent.

Nota: You can start with BASIC and move to EXPERT later. BASIC will help you to understand and experiment what kind of information you should send as IDMEF without heavy coding. When you will have a good idea it will be easier to code the agent.

How to get help ?¶

Technical informations :

• BASIC AGENT
• EXPERT AGENT

For both level of implementation, don't hesitate to use the Prelude Dev Forum

List of existing agents¶

• BASIC AGENT : See Prelude LML rule files in the rules repository : Prelude LML Ruleset
• EXPERT AGENT : See this Third party agents

What about Copyright ?¶

A BASIC agent is a ruleset file included in Prelude LML ruleset package. So even if you are the one scripting it we will ask you (like any other Prelude contribution) to leave us the copyright so we can include it in the commercial edition of Prelude.

An EXPERT agent is code in the software agent. We won't need to keep the copyright on it, specially if you are ready to support the agent in time.

Any other question ?¶

Please use the Prelude Dev Forum