Prelude Import¶
Prelude-Import is a commercial extension available from CS-SI. Please check the Corporate Modules page for more information.
Prelude-Import is a tool whose purpose is to import data from applications that report events in a specific format. It can also be used to emit alert from a security shell script.
As of now, three different alerts format are supported:- IDMEF XML: Import IDMEF-XML and convert it to the native Prelude-IDMEF format.
- Nessus XML: Import Nessus vulnerability scan XML report.
- IDMEF Object: A Prelude specific IDMEF format, very handy for textual representation.
Importation options¶
- dry-run - Print the result without sending the data.
- verbose - Print information regarding what is done.
- format - Force the input to be interpreted using the specified format.
- text-output - Dump the imported events to the specified file.
Please check prelude-import --help output for more options.
Importing data¶
Prelude-Import will automatically probe the type of file you provide it on the command line, and use the appropriate plugin for importing each file. Here is the command to use in order to import a file, or a set of file:
prelude-import <file1> <file2> <fileN>
You might also specify -_ for stdin, but it then become mandatory to manually specify the input _format using the format command line option.
IDMEF XML file importation Example¶
Prelude-Import come with a set of test file. Here we're going to import idmef-example-12.xml, which contain an heartbeat. Since the -v (verbose) argument is provided, Prelude-Import will print information on each imported IDMEF attribute. The generated event won't be sent since the dry-run option was specified.
$ prelude-import -v --dry-run tests/idmef-xml/idmef-example-12.xml Using 'idmef-xml' to handle 'tests/idmef-xml/idmef-example-12.xml': Created path heartbeat.messageid=abc123456789 Created path heartbeat.analyzer(0).analyzerid=hq-dmz-analyzer01 Created path heartbeat.analyzer(0).node.category=dns Created path heartbeat.analyzer(0).node.location=Headquarters DMZ Network Created path heartbeat.analyzer(0).node.name=analyzer01.example.com Created path heartbeat.create_time=0xbc722ebe.0x00000000 Created path heartbeat.additional_data(0).type=real Created path heartbeat.additional_data(0).meaning=%memused Created path heartbeat.additional_data(0).data=62.5 Created path heartbeat.additional_data(1).type=real Created path heartbeat.additional_data(1).meaning=%diskused Created path heartbeat.additional_data(1).data=87.1
Importing Nessus Vulnerability assessment¶
Using Prelude-Import, you can also generate events for every vulnerability reported by the Nessus vulnerability scanner. Nessus data might be used to warn the analyst about a new machine property (new port opened/closed), and to regularly check and issue alert when new vulnerability are found by Nessus.
yoann@arwen ~/dev/prelude/svk/branches/private/prelude-import $ ~/dev/prelude/bin/bin/prelude-import -v --dry-run tests/nessus-xml/nessus.xml Using 'nessus-xml' to handle 'tests/nessus-xml/nessus.xml': Created path alert.analyzer(0).version Created path alert.analyzer(0).node.name Created path alert.analyzer(0).ostype Created path alert.analyzer(0).osversion Created path alert.detect_time Created path alert.source(0).node.address(0).address Created path alert.source(0).user.category Created path alert.source(0).user.user_id(0).name Created path alert.source(0).user.user_id(0).type Created path alert.target(0).node.name Created path alert.target(0).node.address(0).address Created path alert.target(0).service.port Created path alert.target(0).service.name Created path alert.source(0).spoofed Created path alert.assessment.confidence.rating Created path alert.assessment.impact.completion Created path alert.classification.text Sending IDMEF message. Created path alert.target(0).service.port Created path alert.target(0).service.name Created path alert.source(0).spoofed Created path alert.assessment.confidence.rating Created path alert.assessment.impact.completion Created path alert.classification.text Sending IDMEF message. Created path alert.target(0).service.port Created path alert.target(0).service.name Created path alert.source(0).spoofed Created path alert.assessment.confidence.rating Created path alert.assessment.impact.completion Created path alert.classification.text Sending IDMEF message. Created path alert.target(0).service.port Created path alert.target(0).service.name Created path alert.source(0).spoofed Created path alert.assessment.confidence.rating Created path alert.assessment.impact.completion Created path alert.classification.text Sending IDMEF message. [snip]
Generating events from the shell¶
Using the IDMEF-object Prelude internal format, it is trivial to generate events from a security shell script.
Here is an example:
$ echo " > alert.messageid = blah > alert.classification.text=This is an event generated from the shell > " | ~/dev/prelude/bin/bin/prelude-import -v --dry-run --format idmef-object - Using 'idmef-object' to handle '-': Created object alert.messageid=blah Created object alert.classification.text=This is an event generated from the shell