[prelude-user] relaying towards 2 managers

raymond durand secalf at gmail.com
Mon Jan 28 16:29:36 CET 2008 

Hi Yoann, all,

2008/1/28, Yoann Vandoorselaere <yoann.v at prelude-ids.com>:
>
> Hi,
>
> Le mercredi 23 janvier 2008 à 10:51 +0100, raymond durand a écrit :
>
> > Dear all,
> >
> > Context:
> > I am trying to relay IDMEF alerts towards 2 managers ("manager 2" and
> > "manager 3") through a relay ("manager 1") directly linked to a sensor
> > prelude-lml.
> >
> > I'd like to relay IDMEF alerts using IDMEF filtering criteria to 2
> different
> > managers.
> >
> > I use relaying (not reverse-relaying).
> >
>
>
> [...]
>
>
> > Problem:
> > Only the 1st Manager declared in the "prelude-manager.conf" of "Manager
> 1"
> > (the relay) receive the IDMEF alerts according to my IDMEF filter:
> > -if "Manager 2" is declared 1st and "Manager 3" 2nd, it only receive
> IDMEF
> > alerts according to my IDMEF filter.
> > -if I switch the order of declaration (I declare "Manager 3" 1st in
> > [idmef-criteria]), then only "Manager 3" receive the IDMEF alerts
> according
> > to my IDMEF filter.
> >
> > Questions:
> > 1/is it possible to have this kind of configuration?
> > 2/if yes, how can I proceed to have 2 "Managers" receiving IDMEF alerts
> from
> > the same "Manager Relay"?
>
>
> I just fixed a bug where relaying to different managers using multiples
> plugins instances would result in all the events being relayed to the
> first instance of the plugin.
>
> You might want to apply the following patch:
> https://trac.prelude-ids.org/changeset/10134


We've just tested it and that works fine! Relaying different alerts to 2
managers is now OK.
Thanks!

We suppose it will be included in the next release of prelude-manager.

> 3/can we do IDMEF filtering with "reverse-relaying" and how?
>
>
> You might use the "reverse-relaying" filtering plugin hook, but the
> filter will be global to every child managers (you can not pick up a
> single child manager as of this writing).


Ok.

Another question we have : Is there a way to load/change "dynamically" IDMEF
criteria filtering options?
Thanks,

Regards,



Best regards,

--
> Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
> Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
> http://www.prelude-ids.com
>
>
Raymond

More information about the Prelude-user mailing list