Feature #128
Prelude integration within SEC
0%
Description
Following the recent discussion about integrating correlation capability
in Prelude using the SEC program, which would currently consist of:
Prelude-Manager(XMLmod) -> SEC(logfile) -> Prelude-LML -> Prelude-Manager
I thought that we should rather try to get it done right the first time rather than satisfying of the hack described above. I talked with Rob Holland from Inverse Path (Perl coder and Prelude contributor) about integrating directly Prelude support within SEC.
The integration is going to be done in two steps:
1. Integrate Prelude like reporting capability within SEC, so that it can directly report alert to Prelude. This way, the schema above will be changed to:
Prelude-Manager (XMLmod) -> SEC -> Prelude-Manager2. Implement the ability in SEC to directly match IDMEF message. This will change the schema above to:
Prelude-Manager <-> SEC
We hope that the result of this effort will then be included in the vanilla SEC distribution. Please post any thought or comment about the upcoming Prelude integration within the SEC program here.
History
#1 Updated by over 17 years ago
To try it out:
tigger@fuse ~/sec-2.3.2 $ cat sec.conf
type=single
ptype=regexp
pattern=pid (\d+)
desc=alert.classification.text=eek pid $1!
action=prelude
Not tested anything more complicated than that. Figuring Gene can come up with something to test with.
#2 Updated by over 17 years ago
Does this just use the default profile definition for locating prelude-manager? Is the sensor name "sec"?
#3 Updated by over 17 years ago
The initial run of this looks good. I'll do more in-depth testing in a few days.
#4 Updated by Yoann VANDOORSELAERE over 17 years ago
For about one week now, an important albeit unnoticed correlation effort have been going on. The outcome of this work (in progress, but already working and robust) is available in the Prelude SVN repository SEC module http://svn.prelude-ids.org/trunk/sec.
We are very much looking for people to contribute useful correlation rules at this stage.
More information in the mailing list post.
#5 Updated by over 17 years ago
Hi ya,
I see the following messages in Prewikka
Correlation Alert (0 alert): No firewall drop reported Invalid analyzerid:messageid pair: 2117355582141255:164354103824
I'm using the latest 'sec' from SVN.
Is this normal?
Regards,
Robin
#6 Updated by over 17 years ago
Robin,
The analyzerid:messageid pair should point to a valid Prelude alert. There may be an error in the way the rule that generates this correlated event is put together, or Prewikka may not be able to find the matching event.
Is there any reason why an event would not make its way into your Prelude database alongside these correlated alerts? Do you possibly have a prelude-manager filter for database commit?
- Ramon
#7 Updated by over 17 years ago
Ramon,
At the moment I don't have any filters for our prelude-manager. When I disable the SEC application, everything works fine. Ofcourse I don't get any Correlation Alerts.
Is there a way to get more output from the Sec application? (Input/Output)
#8 Updated by Yoann VANDOORSELAERE over 17 years ago
- Status changed from New to Closed
- Resolution set to fixed
Closing this bug since SEC is now deprecated and replaced with the prelude-correlator module.
#9 Updated by Yoann VANDOORSELAERE over 14 years ago
- Project changed from PRELUDE SIEM to Prelude Correlator