Filtering Plugins¶
Before setting up Filtering Plugins, you might want to have a look at the following documentation:IDMEF Criteria Filtering Plugin¶
Filtering events
The idmef-criteria filtering plugin allows you to filter events basing on specific IDMEF-Criteria. A filtering plugin might be used to decide whether a specific action should be taken.
prelude-manager --idmef-criteria --rule 'alert.classification.text == User login successful' --rule 'alert.assessment.impact.severity == high' --hook relaying[default]
or from the configuration file:
[idmef-criteria] rule = alert.classification.text == User login successful rule = alert.assessment.impact.severity == high hook = relaying[default]
Will forward any events that match the defined criteria to the default instance of the relaying reporting plugin.
The rule argument might also be a filename containing the rules.
Thresholding Filtering Plugin¶
Event Suppression and Thresholding
The thresholding filtering plugin allows you to suppress events based on their content.
prelude-manager --thresholding --path 'alert.classification.text,alert.source.node.address.address' --limit 3600 --count 1 --hook relaying[default]
or from the configuration file:
[thresholding] path = alert.classification.text, alert.source.node.address.address limit = 3600 count = 1 hook = relaying[default]
Will forward one event with the unique alert.classification.text, alert.source.node.address.address value combination to the default instance of the relaying reporting plugin. Further events with the same value will be suppressed for 3600 seconds.
prelude-manager --thresholding --path 'alert.classification.text,alert.source.node.address.address' --threshold 3600 --count 10 --hook relaying[default]
or from the configuration file:
[thresholding] path = alert.classification.text, alert.source.node.address.address threshold = 3600 count = 10 hook = relaying[default]
Will forward every tenth event within 3600 seconds with the unique alert.classification.text, alert.source.node.address.address value combination to the default instance of the relaying reporting plugin.
You can also combine threshold and limit, so that once the threshold is reached once, further events with the same value will be suppressed, until the limit expires.
Stacking Filtering Plugins Together¶
The ability to stack plugins, allows you to create more complex abilities in how you use the plugins. We'll use the example below, to show how IDMEF Criteria Filtering Plugin, Thresholding Filtering Plugin and SMTP Plugin can all be combined (ie. stacked) to enhance your reporting.
Example:
[smtp] sender = prelude@mycompanyname.com recipients = me@mycompanyname.com smtp-server = mailserver.mycompanyname.com [thresholding=sudotest] path = alert.classification.text, alert.target(0).node.address(0).address limit = 3600 count = 1 hook = smtp[default] [idmef-criteria=sudotest] rule = alert.classification.text == 'SUDO Command Executed' hook = thresholding[sudotest]
In the above example, we have created an instance of the idmef-criteria called 'sudotest'. It looks for 'SUDO Command Executed' in an IDMEF alert, and when it matches, it passes this to the 'sudotest' instance of the Thresholding Plugin (this can be seen via the 'hook = thresholding[sudotest]).
The 'sudotest' instance of the Thresholding Plugin will then keep track of this 'SUDO Command Executed' text, along with the target node's IP address. The count of 1, combined with the '3600' seconds limit, will suppress further of these messages with those two criteria from being passed to the SMTP Plugin for one hour after one has been seen. After that time period, messages with that text and target node address will generate another smtp message - before being suppressed for one hour again. Note: This does not affect other plugins, such as the database, as that is not hooked in our example.
Finally, the email is sent as the 'sudotest' instance of the thresholding plugin hooks the smtp[default] plugin.
Basically, the stacking of plugins in this example allowed us to look for certain IDMEF criteria, then both email on it matching, and suppress the number of emails generated for this match for a certain time period.