[prelude-user] relaying towards 2 managers

[Yoann Vandoorselaere]

Hi,

Le mercredi 23 janvier 2008 à 10:51 +0100, raymond durand a écrit :
> Dear all,
> 
> Context:
> I am trying to relay IDMEF alerts towards 2 managers ("manager 2" and
> "manager 3") through a relay ("manager 1") directly linked to a sensor
> prelude-lml.
> 
> I'd like to relay IDMEF alerts using IDMEF filtering criteria to 2 different
> managers.
> 
> I use relaying (not reverse-relaying).
> 

[...]

> Problem:
> Only the 1st Manager declared in the "prelude-manager.conf" of "Manager 1"
> (the relay) receive the IDMEF alerts according to my IDMEF filter:
> -if "Manager 2" is declared 1st and "Manager 3" 2nd, it only receive IDMEF
> alerts according to my IDMEF filter.
> -if I switch the order of declaration (I declare "Manager 3" 1st in
> [idmef-criteria]), then only "Manager 3" receive the IDMEF alerts according
> to my IDMEF filter.
> 
> Questions:
> 1/is it possible to have this kind of configuration?
> 2/if yes, how can I proceed to have 2 "Managers" receiving IDMEF alerts from
> the same "Manager Relay"?

I just fixed a bug where relaying to different managers using multiples
plugins instances would result in all the events being relayed to the
first instance of the plugin.

You might want to apply the following patch:
https://trac.prelude-ids.org/changeset/10134


> 3/can we do IDMEF filtering with "reverse-relaying" and how?

You might use the "reverse-relaying" filtering plugin hook, but the
filter will be global to every child managers (you can not pick up a
single child manager as of this writing).


Regards,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
http://www.prelude-ids.com