Project

General

Profile

Prelude Import

Prelude-Import is a commercial extension available from CS-SI. Please check the Corporate Modules page for more information.

Prelude-Import is a tool whose purpose is to import data from applications that report events in a specific format. It can also be used to emit alert from a security shell script.

As of now, three different alerts format are supported:
  • IDMEF XML: Import IDMEF-XML and convert it to the native Prelude-IDMEF format.
  • Nessus XML: Import Nessus vulnerability scan XML report.
  • IDMEF Object: A Prelude specific IDMEF format, very handy for textual representation.

Importation options

  • dry-run - Print the result without sending the data.
  • verbose - Print information regarding what is done.
  • format - Force the input to be interpreted using the specified format.
  • text-output - Dump the imported events to the specified file.

Please check prelude-import --help output for more options.

Importing data

Prelude-Import will automatically probe the type of file you provide it on the command line, and use the appropriate plugin for importing each file. Here is the command to use in order to import a file, or a set of file:

 prelude-import <file1> <file2> <fileN>

You might also specify -_ for stdin, but it then become mandatory to manually specify the input _format using the format command line option.

IDMEF XML file importation Example

Prelude-Import come with a set of test file. Here we're going to import idmef-example-12.xml, which contain an heartbeat. Since the -v (verbose) argument is provided, Prelude-Import will print information on each imported IDMEF attribute. The generated event won't be sent since the dry-run option was specified.

$ prelude-import -v --dry-run tests/idmef-xml/idmef-example-12.xml

Using 'idmef-xml' to handle 'tests/idmef-xml/idmef-example-12.xml':
        Created path heartbeat.messageid=abc123456789
        Created path heartbeat.analyzer(0).analyzerid=hq-dmz-analyzer01
        Created path heartbeat.analyzer(0).node.category=dns
        Created path heartbeat.analyzer(0).node.location=Headquarters DMZ Network
        Created path heartbeat.analyzer(0).node.name=analyzer01.example.com
        Created path heartbeat.create_time=0xbc722ebe.0x00000000
        Created path heartbeat.additional_data(0).type=real
        Created path heartbeat.additional_data(0).meaning=%memused
        Created path heartbeat.additional_data(0).data=62.5
        Created path heartbeat.additional_data(1).type=real
        Created path heartbeat.additional_data(1).meaning=%diskused
        Created path heartbeat.additional_data(1).data=87.1

Importing Nessus Vulnerability assessment

Using Prelude-Import, you can also generate events for every vulnerability reported by the Nessus vulnerability scanner. Nessus data might be used to warn the analyst about a new machine property (new port opened/closed), and to regularly check and issue alert when new vulnerability are found by Nessus.

yoann@arwen ~/dev/prelude/svk/branches/private/prelude-import $ ~/dev/prelude/bin/bin/prelude-import -v --dry-run tests/nessus-xml/nessus.xml

Using 'nessus-xml' to handle 'tests/nessus-xml/nessus.xml':
        Created path alert.analyzer(0).version
        Created path alert.analyzer(0).node.name
        Created path alert.analyzer(0).ostype
        Created path alert.analyzer(0).osversion
        Created path alert.detect_time
        Created path alert.source(0).node.address(0).address
        Created path alert.source(0).user.category
        Created path alert.source(0).user.user_id(0).name
        Created path alert.source(0).user.user_id(0).type
        Created path alert.target(0).node.name
        Created path alert.target(0).node.address(0).address
        Created path alert.target(0).service.port
        Created path alert.target(0).service.name
        Created path alert.source(0).spoofed
        Created path alert.assessment.confidence.rating
        Created path alert.assessment.impact.completion
        Created path alert.classification.text
        Sending IDMEF message.

        Created path alert.target(0).service.port
        Created path alert.target(0).service.name
        Created path alert.source(0).spoofed
        Created path alert.assessment.confidence.rating
        Created path alert.assessment.impact.completion
        Created path alert.classification.text
        Sending IDMEF message.

        Created path alert.target(0).service.port
        Created path alert.target(0).service.name
        Created path alert.source(0).spoofed
        Created path alert.assessment.confidence.rating
        Created path alert.assessment.impact.completion
        Created path alert.classification.text

        Sending IDMEF message.
        Created path alert.target(0).service.port
        Created path alert.target(0).service.name
        Created path alert.source(0).spoofed
        Created path alert.assessment.confidence.rating
        Created path alert.assessment.impact.completion
        Created path alert.classification.text
        Sending IDMEF message.

        [snip]

Generating events from the shell

Using the IDMEF-object Prelude internal format, it is trivial to generate events from a security shell script.
Here is an example:

$ echo " 
> alert.messageid = blah
> alert.classification.text=This is an event generated from the shell
> " | ~/dev/prelude/bin/bin/prelude-import -v --dry-run --format idmef-object -

Using 'idmef-object' to handle '-':
        Created object alert.messageid=blah
        Created object alert.classification.text=This is an event generated from the shell