Project

General

Profile

[Prelude-correlator] How to indicate prelude-correlator where to find rules?

Added by Steven Shawn over 5 years ago

Hello,

I'm new to Prelude, and I achieved to deploy a simple system composed of two computers (A and B). A is a sensor that sends alerts to the B's prelude-manager instance. I created a simple rule placed at /etc/prelude-correlator/rules/MyPlugin.py. I have extracted the code form prelude's oficial documentation:

from preludecorrelator.pluginmanager import Plugin

print("*** Any global initialization code goes here")
class MyPlugin(Plugin):

        def run(self, idmef):
                print("*** This function is going to be called when Prelude-Correlator receives an IDMEF event")

I launched correctly the prelude-manager and prelude-correlator instances, and they perform the TLS verification. When I sent and event from the sensor, the prelude-managers received it correcly and stores it in the DB. I sniffed the comunication with tcpdump and I can see that after the prelude-manager receives the whole event from A, it then start a comunication with itself (I supposed it is the prelude-manager sending the events to the prelude-correlator). But it seems that the MyPlugin rule is not being executed, at least I can't see any output.

prelude-correlator 
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [BusinessHourPlugin]: disabled on user request
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [FirewallPlugin]: disabled on user request
07 Feb 15:08:49 prelude-correlator (process:4450) WARNING: SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin: No module named netaddr
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: [DshieldPlugin]: Downloading host list, this might take some time...
07 Feb 15:08:49 prelude-correlator (process:4450) WARNING: [DshieldPlugin]: exception occurred while loading: Could not download DShield host list, error 301
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: 6 plugin have been loaded.
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: Connecting to <prelude-manager_ip>:4690 prelude Manager server.
07 Feb 15:08:49 prelude-correlator (process:4450) INFO: TLS authentication succeed with Prelude Manager.

I registered the prelude-correlator with idmef:rw permissions.

My config prelude-correlator.conf file is:

# This is a template configuration file for prelude-correlator
#

[include](!) 
include = /etc/prelude/default/idmef-client.conf

[MyPlugin](!) 
disable = false

# [BruteForcePlugin]
# disable = false
#

# Disable BusinessHour correlation by default since it is very verbose
[BusinessHourPlugin]
disable = true

#
# [OpenSSHAuthPlugin]
# disable = false
#
# [EventScanPlugin]
# disable = false
#
# [EventStormPlugin]
# disable = false
#
# [EventSweepPlugin]
# disable = false
#
# [WormPlugin]
# disable = false
# repeat-target = 5
#
# [DshieldPlugin]
# disable = false
#
# How often the Dshield database should be reloaded (download + reload)
# (default: once a week). 0 to disable reloading.
# reload  = 604800
#
# The server address where the Dshield database is loaded from:
# server  = www.dshield.org
#
# URI used to retrive the dshield database:
# uri     = /ipsascii.html?limit=10000
#
# Define the maximum allowed time for downloading the database
# (only work with Python >= 2.6, default is 10 seconds)
# timeout = 10

# This plugin will report CorrelationAlert for events / sets of events
# that appear to have passed through a firewall known to protect the
# target machine.
#
# If no firewall ever emit block concerning a given host, then this host
# is considered un-protected, and there is no point in reporting
# CorrelationAlert.
#
# The 'flush-protected-hosts' variable allow you to define how much
# time a given target hosts should be considered as protected when a
# firewall drop is noticed for this machine.
#
# The plugin is disabled by default since it tend to be very verbose

[FirewallPlugin]
disable = True
flush-protected-hosts = 3600

[python_rules](!) 
# Python rules folder
paths = /etc/prelude-correlator/rules

##
# Logging configuration might also be defined in this file:
# http://docs.python.org/library/logging.html

The fields marked with ( ! ) are the ones I added. But I can't figured out the correct way to specify the prelude-correlator where to find the rules to be used. I read the documentation and I don't see any reference to it.

Thank you for your help


Replies (6)

RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Antoine LUONG over 5 years ago

Hello,

What version of prelude-correlator are you using?

Regards

RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Steven Shawn over 5 years ago

Antoine LUONG wrote:

Hello,

What version of prelude-correlator are you using?

Regards

The output of prelude-correlator --version says

prelude-correlator 1.0.0

Regards

RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Antoine LUONG over 5 years ago

This version is not supported anymore. Please upgrade to the latest version available on your distribution.

Regards

RE: [Prelude-correlator] How to indicate prelude-correlator where to find rules? - Added by Steven Shawn over 5 years ago

Antoine LUONG wrote:

This version is not supported anymore. Please upgrade to the latest version available on your distribution.

Regards

Thank you for your quick reply. Once updated, when I tried to start it, it says:

pkg_resources.DistributionNotFound: The 'prelude>=5.0.0' distribution was not found and is required by prelude-correlator

Which prelude is it talking about? Prelude-manager? Libprelude?...

Regards

    (1-6/6)