[prelude-user] Prelude alert workflow

Paul Robert Marino prmarino1 at gmail.com
Thu Dec 3 02:50:29 CET 2009 

well unfortunately you are not the the first person to bring this up. 
and no the ticket system last i saw it does not solve the problem you 
are asking about however that was well over two years ago.
the short coming is actually in the RFC for I.D.M.E.F. that governs the 
the alert format (http://www.rfc-editor.org/rfc/rfc4765.txt) there was 
no though put into including operational work flow data in the alert. 
I've been debating for some time about trying to draft an addendum to 
the RFC. although I have not had time to write it yet an am unsure as to 
the process of how to get it adopted as a new RFC.

The simplest solution you can do is what i did, I altered the alerts in 
the database by add additional data fields to the alert in the database 
which can be filtered on in and viewed Prewikka.
unfortunately i can not provide you with the scripts i wrote for this 
because they were integrated into a fast web interface I wrote against a 
specific now obsolete version of Prelude-XLR with PostgreSQL for a 
former employer.
but if you understand SQL its not very hard to do because the tables are 
all linked by the alert ID and the names of the tables and fields are 
fairly self explainitory.

Christopher Byrd wrote:
> I have set up a working lab for Prelude combined with OSSEC and Snort
> using the open source version of Prelude.  My question for the list is
> how are you actually using Prelude in production?  What workflow do
> you use to review and respond to alerts, especially in multi-analyst
> environments?
>
> Using Prewikka (not Pro) the only method I can find to "handle" an
> event is to delete it, which I have confirmed will delete the alert
> entirely from the database.  This would seem to make auditing for
> review and compliance activities difficult.  In my case, I'd like to
> find a way to mark the alert as reviewed, hopefully including an
> optional comment or classification.  Preferably, reviewed alerts would
> be archived in the database, and only available in reports, or when
> defined in searches, etc.
>
> It may be that the ticket system in Prewikka Pro is the answer,
> although I still wonder if even the automatic ticket system fully
> answers the above.  I'm hoping someone has some insight on how this
> works in the open source version, if it is possible at all.
>
> If you are using Prelude/Prewikka in production would you please
> comment on how you use it as part of your processes?
>
> Thanks in advance!
>
> Christopher
> _______________________________________________
> Prelude-user site list
> Prelude-user at prelude-ids.org
> http://lists.prelude-ids.org/mailman/listinfo/prelude-user
>

More information about the Prelude-user mailing list