[prelude-user] problems with prelude-manager's idmef-criteria and thresholding
Ryan Skorstad
ryan.skorstad at beatport.com
Wed Apr 1 00:46:08 CEST 2009
I am attempting to configure filters on my incoming events by setting up
idmef-criteria and thresholding in prelude-manager.conf.
My system is a Fedora 10 x86_64 box running prelude-manager-0.9.14.2-1
rpms obtained from Fedora Koji.
Following the documentation here:
https://trac.prelude-ids.org/wiki/PreludeManager/FilteringPlugins
My prelude-manager.conf file looks like this:
-----
include = /etc/prelude/default/global.conf
listen = 10.0.0.10
[db]
type = mysql
host = localhost
port = 3306
name = prelude
user = prelude
pass = password
[idmef-criteria=bittorrent]
rule = alert.classification.text == 'P2P BitTorrent transfer'
hook = thresholding[bittorrent]
[thresholding=bittorrent]
path = alert.classification.text, lert.target(0).node.address(0).address
threshold = 1
seconds = 3600
hook = db
-----
My /etc/prelude/default/global.conf file only specifies the node-name
and node-location.
When I try to start prelude-manager, I get these errors:
/etc/prelude-manager/prelude-manager.conf:19: invalid option "seconds"
in "global" section.
/etc/prelude-manager/prelude-manager.conf:20: invalid option "hook" in
"global" section.
Also, the documentation states that the syntax should be
'[idmef-criteria-filter=bittorrent]' but when I use that I get even more
errors like the ones above. Switching back to '[idmef-criteria]' seems
to make it complain less.
What am I doing wrong? Am I missing a section definition somewhere?
More information about the Prelude-user
mailing list