Developing a Sensor Quickly¶
Table of Contents
This page explains how to develop a sensor from scratch in C in 10 minutes of time.
If you want more documentation on sensor development, please refer to the Building a Sensor Page.
Source code¶
Note: this example use an improved API available from libprelude 0.9.19. If you are using an earlier libprelude version, please have a look at the DevelAgentQuicklyOld page.
#include <libprelude/prelude.h>
#define ANALYZER_NAME "simple-analyzer"
int main(int argc, char **argv)
{
int ret;
prelude_client_t *client;
idmef_message_t *idmef;
/* Prelude init */
ret = prelude_init(&argc, argv);
if ( ret < 0 ) {
prelude_perror(ret, "unable to initialize the prelude library");
return -1;
}
ret = prelude_client_new(&client, ANALYZER_NAME);
if ( ! client ) {
prelude_perror(ret, "Unable to create a prelude client object");
return -1;
}
ret = prelude_client_start(client);
if ( ret < 0 ) {
prelude_perror(ret, "Unable to start prelude client");
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return -1;
}
/* Idmef init */
ret = idmef_message_new(&idmef);
if ( ret < 0 ) {
prelude_perror(ret, "Unable to create the IDMEF message");
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return -1;
}
/*
* Fill IDMEF message(note that error checking should ideally be performed on production code.
*/
idmef_message_set_string(idmef, "alert.assessment.impact.description", "As you can see, this description is useless, because it is describing an event that isn't one!");
idmef_message_set_string(idmef, "alert.assessment.impact.severity", "info");
idmef_message_set_string(idmef, "alert.assessment.impact.completion", "succeeded");
idmef_message_set_string(idmef, "alert.classification.text", "This alert was sent from the simplest analyzer ever");
idmef_message_set_string(idmef, "alert.source(0).user(1)", "L'homme araignee");
idmef_message_set_string(idmef, "alert.additional_data(0).type", "string");
idmef_message_set_string(idmef, "alert.additional_data(0).meaning", "Signature ID");
idmef_message_set_string(idmef, "alert.additional_data(0).data", "1");
prelude_client_send_idmef(client, idmef);
idmef_message_destroy(idmef);
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
return 0;
}
Makefile¶
CC=gcc CFLAGS=$(shell libprelude-config --cflags) LDFLAGS=$(shell libprelude-config --libs) all: prelude-simplest-sensor.c $(CC) prelude-simplest-sensor.c -o prelude-simplest-sensor $(CFLAGS) $(LDFLAGS)
Registration¶
If prelude manager is on localhost, run:
prelude-admin register simple-analyzer "idmef:w" localhost --uid 1000 --gid 1000
and in an other terminal:
prelude-admin registration-server prelude-manager
Follow instructions, and your sensor is will be registered.
See the resulf of your alert¶
- When you fire up prewikka, you see a line containing what we specified as classification.text:
- When clicking on this alert, you can see a detailed view of your alert:
Enjoy!