From rinkuburagohain at gmail.com Thu Jul 2 10:34:06 2009 From: rinkuburagohain at gmail.com (rinku buragohain) Date: Thu, 2 Jul 2009 14:04:06 +0530 Subject: [prelude-user] prelude Message-ID: <9054873a0907020134t1ef7e645pf197e987f7d1765d@mail.gmail.com> [ crit handler event module ] Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile[ crit mgr module ] Module instance of "lib/nepenthes/logprelude.so" using configuration "etc/nepenthes/log-prelude.conf" failed to initialize [ crit mgr module ] ERROR LOADING MODULE lib/nepenthes/logprelude.so: SHUTTING DOWN Quit run is done -1 i am not getting all this message please help.. From yoann.v at prelude-ids.com Tue Jul 7 15:22:57 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Tue, 07 Jul 2009 15:22:57 +0200 Subject: [prelude-user] [ANNOUNCE]: prewikka 0.9.17 Message-ID: <1246972977.12491.365.camel@arwen> ?We are pleased to announce the availability of Prewikka 0.9.17. Prewikka is a graphical front-end analysis console for the Prelude Hybrid IDS Framework. Providing numerous features, Prewikka facilitate the work of users and analysts. It provide alert aggregation, sensors and hearbeat views, and has user management and configurable filters. It has access to external tools such as whois and traceroute. ------[ CHANGES ]------ - Do not provide an exhaustive list of unreachable linked alert, rather, tell the user how many linked alert are not reachable any more. - String encoding fixes, do not mix unicode and bytestring, and more generally, use unicode for internal string storage. This fixes a lot of possible exception with particular specific user input, or with localization enabled. - Inline filter didn't work as expected when viewing events starting with a specific offset, because the offset keyword wasn't removed from the generated link. - Error handling improvement (back / retry button weren't always working as expected). - Fix exception when no protocol was available. - Improve navigation button link (make the link cover the whole button). ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : 836cb59861d5ef9bef88ca2da170b8cd SHA1 : 3d28ff5e87b1fcaf361970ed6c0c9e477e4eb00c SHA256 : 924c1794813f764de344a48a7cd431b66ff1875c6cc3145547bb31ca9f4db125 ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKUvVCAAoJEBHxO34j0vrDoAkP/0EaSGsqIYaF4OQSBTm9Y5zm ycadnsLVnagN50LFPJG8Nm6dRMPaMGVOTSdnBfBUiV3CasqzhFDnxAwmuwp0lJ2e IPcgX7g7UMfPiJtESlHBVnzoDef39buoQPf7aFmLFnC4pLYF+zLyuRu0nkPSN2wQ IE+9CW9t7/m4mIzin07iCFHMPqMRgaNiG7jMnZ2LwHIoerzApCdDenb1swrJITaG KVM2xqjPmoiPHky7iFszctvQZQpku2ohD++tFPNRVn8v5TtE4IkUMSyLCWcKM+/N 5f4scQuC6CPNS4OnjIyi8m7mhTaINE5p0LQa2u/wsirGBewKA/zyafFJXbjtRnTM VWg5nAk0oW116bdhWLOLuDLwtbtsYFPG+rNOSvknlxKWNwQB5tuDL4gGtlOB+8XV oKXl4qZrbjKQZ8xyoOhmwK7bQqr9NMaYPQxnShrZtx8opkxUzo9Jh02fQplnzzEt VoRaXVzkgQ+DE2dy5MTW+MqX1Jip9f6zO2Dog89P5t0fjOjYiLv+327zigqk5z9n HrWDuTL6FgsPQuFBn8iaWFbqIwV7UEJ42ST+yw8RPoWrie+QCrGJynKNg3S/Tngo UKZDuUmLhEsCrv/X/NJ7yv2kF+oJaFd12pajpjxRC6nJ9OIwJoF8pXhbeL0fkySz jJG2XgsycpQ1oEn4FB1b =0DtX -----END PGP SIGNATURE----- From yoann.v at prelude-ids.com Wed Jul 8 17:00:08 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Wed, 08 Jul 2009 17:00:08 +0200 Subject: [prelude-user] [ANNOUNCE]: libprelude 0.9.24 released Message-ID: <1247065208.12491.372.camel@arwen> We are pleased to announce the availability of libprelude 0.9.24. The Prelude Library is the glue that binds all aspects of Prelude together. It is a library which enables Prelude components to communicate with the Prelude Manager. It also makes it easy for third party software to be made 'Prelude Aware' (able to communicate with Prelude components). It provide common, useful features used by every sensor. ------[ CHANGES ]------ - Initial prelude-log C++/Python/Ruby/Perl/Lua bindings support. This implement language bindings for the PreludeLog interface. - Make the created profile permission fully respect required ownership. The analyzerid file within the created profile was incorrectly created with current ownership, rather than using specified uid/gid. - Ruby and Python bindings were not properly checking whether the argument was a file descriptor in case the left/right shift IDMEF operator were used. - Fix prelude-client initialization problem with empty argv[0], which sometime happen when called from certain high level language. - Fix error in case of multiple initialization. - Fix possible Lua module crash on initialization. - Various bug fixes ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : f38ab003f16391a0e397568cddfbf169 SHA1 : 0b9e73f94c30dc92a430de618ad3913034e25258 SHA256 : f6e096bb16fcd0ae41fb160f285094ee224153e9ea3b528d81db1f57aebc48ce ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKVLNFAAoJEBHxO34j0vrDo0oP+wRjKQ63aodUGHhsBR6uk6md CJ1AUB73YpUDxydZ099mpf5XFFybxuSJyoHqyh7DlyQA20l1nXXlDBAVneO99dts koUYJtz8hTXQT8f7QpwKu51mdgZBeSE39QtMV00R92Qo7AVBHvCsbvAxO6sCfN6n nBzH7vwqRgk+aFh3dA6UnS/t8nvMerO537fEfxUGAjh909dfNjf1xrLB8KFXkQ00 lF9xQ3XhFTw22cvSYuhA746LEGKFhMIDo/EBVSKUhe61UVW1Lq8s9983kuf+vVtQ T+P1qxN9kh5j/4Vd6qCSemQfX+0ul1Vp5v2PKcV2xIhirW0i3S4trD/svr0ASxrB xuvRBniBEiBrcWoNaI9lGWiqdJposwatIFyqkHfP6DYg799VOPRYbwfNVE0A2Uhh P2xc8G7c41juMBGGEkdoAAwZYdO2a5wuht+yGNaHQNj+Kgr5Dq752ndTzFzgSPxt QT5sGogQyFuqojLj8k79DI+yx9YH8zz/JpyB+IA0VX1zlaJd6pUoOKaKwoXC+11j otfiu162T16VE6VGZEcKZTUUyXZ+MdzqhBEaTefrCqDXQk4mYdAQxxEOlTYUMomB ueCrmofxqI/3RH7fPeDLP2YVpFequyzr3jOZQtdXZfT2GeKre71ri9AsXX0BSj9B m0j+wYqvbq/4iD/sVIS5 =m3Vz -----END PGP SIGNATURE----- -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Wed Jul 8 17:07:50 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Wed, 08 Jul 2009 17:07:50 +0200 Subject: [prelude-user] [ANNOUNCE]: libprelude 0.9.24 Message-ID: <1247065670.2463.1.camel@arwen> ------[ CHANGES ]------ - Initial prelude-log C++/Python/Ruby/Perl/Lua bindings support. This implement language bindings for the PreludeLog interface. - Make the created profile permission fully respect required ownership. The analyzerid file within the created profile was incorrectly created with current ownership, rather than using specified uid/gid. - Ruby and Python bindings were not properly checking whether the argument was a file descriptor in case the left/right shift IDMEF operator were used. - Fix prelude-client initialization problem with empty argv[0], which sometime happen when called from certain high level language. - Fix error in case of multiple initialization. - Fix possible Lua module crash on initialization. - Various bug fixes We are pleased to announce the availability of libprelude 0.9.24. The Prelude Library is the glue that binds all aspects of Prelude together. It is a library which enables Prelude components to communicate with the Prelude Manager. It also makes it easy for third party software to be made 'Prelude Aware' (able to communicate with Prelude components). It provide common, useful features used by every sensor. ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : f38ab003f16391a0e397568cddfbf169 SHA1 : 0b9e73f94c30dc92a430de618ad3913034e25258 SHA256 : f6e096bb16fcd0ae41fb160f285094ee224153e9ea3b528d81db1f57aebc48ce ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKVLNFAAoJEBHxO34j0vrDo0oP+wRjKQ63aodUGHhsBR6uk6md CJ1AUB73YpUDxydZ099mpf5XFFybxuSJyoHqyh7DlyQA20l1nXXlDBAVneO99dts koUYJtz8hTXQT8f7QpwKu51mdgZBeSE39QtMV00R92Qo7AVBHvCsbvAxO6sCfN6n nBzH7vwqRgk+aFh3dA6UnS/t8nvMerO537fEfxUGAjh909dfNjf1xrLB8KFXkQ00 lF9xQ3XhFTw22cvSYuhA746LEGKFhMIDo/EBVSKUhe61UVW1Lq8s9983kuf+vVtQ T+P1qxN9kh5j/4Vd6qCSemQfX+0ul1Vp5v2PKcV2xIhirW0i3S4trD/svr0ASxrB xuvRBniBEiBrcWoNaI9lGWiqdJposwatIFyqkHfP6DYg799VOPRYbwfNVE0A2Uhh P2xc8G7c41juMBGGEkdoAAwZYdO2a5wuht+yGNaHQNj+Kgr5Dq752ndTzFzgSPxt QT5sGogQyFuqojLj8k79DI+yx9YH8zz/JpyB+IA0VX1zlaJd6pUoOKaKwoXC+11j otfiu162T16VE6VGZEcKZTUUyXZ+MdzqhBEaTefrCqDXQk4mYdAQxxEOlTYUMomB ueCrmofxqI/3RH7fPeDLP2YVpFequyzr3jOZQtdXZfT2GeKre71ri9AsXX0BSj9B m0j+wYqvbq/4iD/sVIS5 =m3Vz -----END PGP SIGNATURE----- -- Yoann Vandoorselaere From firm at iname.com Wed Jul 8 20:25:26 2009 From: firm at iname.com (Alexander Afonyashin) Date: Wed, 8 Jul 2009 21:25:26 +0300 Subject: [prelude-user] R: How do you chain events within LML Message-ID: <20090708182526.AE7FB10612@ws1-3.us4.outblaze.com> Hi Justin, So, you need to keep track of previous info for particular event (value b in 4th position in your case), right? Then rules should look like this: regex=\w+ b \w+ (\w) \w+ \w \w+ \w \w+; \ id=2; \ new_context=_phase1_$1;expire:0; \ #some fields in idmef may be filled silent; regex=\w+ c \w+ (\w) \w+ \w \w+ \w \w+; \ id=3; \ require_context=_phase1_$1; \ new_context=_phase2_$1;expire:0; \ destroy_context=_phase1_$1; \ #some fields in idmef may be filled silent; regex=\w+ \w \w+ (\w) \w+ \w \w+ \w \w+; \ id=1; \ require_context=_phase2_$1; \ destroy_context=_phase2_$1; \ #required fields in idmef are filled last; Best regards, Alexander Afonyashin ----- Original Message ----- From: Justin.Buhler at zootweb.com To: prelude-user at prelude-ids.org Subject: [prelude-user] R: How do you chain events within LML Date: Tue, 30 Jun 2009 13:40:48 -0600 I would like to create a generic filter that can be refined depending on a value. Is the following the best way to achieve this or is there another way? Initial message xxxxxxxx a xxxxxxxx b xxxxxxxx b xxxxxxxx b xxxxxxxx xxxxxxxx c xxxxxxxx b xxxxxxxx b xxxxxxxx b xxxxxxxx xxxxxxxx b xxxxxxxx b xxxxxxxx b xxxxxxxx b xxxxxxxx regex=\w+ b \w+ \w \w+ \w \w+ \w \w+; \ id=2; \ chained; \ silent; regex=\w+ c \w+ \w \w+ \w \w+ \w \w+; \ id=3; \ chained; \ silent; regex=\w+ \w \w+ \w \w+ \w \w+ \w \w+; \ optgoto=2; \ optgoto=3; \ id=1; \ ------------------------------------------------------------------- Justin Buhler, CISSP Information Security Specialist [skipped] -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com From Thomas.Georgi at secunet.com Thu Jul 9 12:04:43 2009 From: Thomas.Georgi at secunet.com (Georgi, Thomas) Date: Thu, 9 Jul 2009 12:04:43 +0200 Subject: [prelude-user] Authentication Prewikka Message-ID: <25A73B94D772B0499FE933B70839BD47D9B656@mail-srv1.secumail.de> Hi, is ist possible, that users authenticate on prewikka using LDAP or what else instead of the built in user-database? Thanks - Thomas! From skippylou at gmail.com Thu Jul 9 13:04:38 2009 From: skippylou at gmail.com (ScottO) Date: Thu, 9 Jul 2009 07:04:38 -0400 Subject: [prelude-user] Authentication Prewikka In-Reply-To: <25A73B94D772B0499FE933B70839BD47D9B656@mail-srv1.secumail.de> References: <25A73B94D772B0499FE933B70839BD47D9B656@mail-srv1.secumail.de> Message-ID: <1edd27fb0907090404o42b6ae8esee62194d47647b0@mail.gmail.com> On Thu, Jul 9, 2009 at 6:04 AM, Georgi, Thomas wrote: > Hi, > > is ist possible, that users authenticate on prewikka using LDAP or what > else instead of the built in user-database? > > With PrewikkaPro you can use LDAP. From yoann.v at prelude-ids.com Thu Jul 9 18:04:11 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Thu, 09 Jul 2009 18:04:11 +0200 Subject: [prelude-user] [ANNOUNCE]: prelude-correlator 0.9.0-beta6 Message-ID: <1247155452.11383.0.camel@arwen> ?????We are pleased to announce the availability of Prelude-Correlator 0.9.0-beta6. Prelude-Correlator serves to correlate, in real time, the multiple events received by Prelude. Several isolated alerts, generated from different probes, can thus trigger a single correlation alert should the events be related. ------[ CHANGES ]------ - Provide a default configuration file, and fixes the prelude-correlator --config option. - A rare exception could occur when IDMEF:Set() was called with an empty list/tuple as the value argument. - Normalize libprelude logging through our own log callback (only enabled if libprelude >= 0.9.24 is installed). - The DShield plugin didn't report any events since address loaded from the DShield database weren't correctly normalized. - Automatic download + reloading of the DShield database was fixed. - DShield generated alerts now include additional details. - Make it possible to specify your own DShield database file, and to prevent automatic download. This is useful on system with no direct internet access. - Handle both standard installation, and EGG installation method (in EGG mode, configuration and data files are self contained). - Introduce a new plugin logging mechanism. - Add some utility method to the Timer class. - Make it possible for plugin to define a 'signal' method that will get called when prelude-correlator handle a signal (can be used to perform special handling before exit, statistics or debugging purposes). ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : 29f3c3ce5baf43586ec4a4841494cdd0 SHA1 : b75784b69e4a28dc71c836633826e98f1b28da55 SHA256 : e9e7f05450fc9b5421a7c162660832e881b92e8c4a1ad44c0cba7f3e8c28a298 ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKVhQ9AAoJEBHxO34j0vrDK/kP/ih2mJy9Pp0JyRgGVM3dehlb fkOXZ0SheXm1pqtru2025NyobxSVqXs/smyPAYDtBy4HWVfvJi76wqGRneJkB9qw 44Gjgfp4zRKFXy8LSwaOUrZzgRYgzEV8X0tN8+zXvA3jiQX92IwlgI28JsDjbcJF gFRGF7c1FrZzihpOWApumshRfTMhwrVtX48ByBk51VxR92at6kavZTcsdbpzNTRA zt2WX5rjdKAUpR/Evx2OnhlhKXOQFyzBX7f6zGE0IpknwugF5ghgSMvZ/ejC3Kb8 LGbaFWnpobJVY70zPB2f5li5lGYxMunhzVtriaAgDkvvTLWzmARzTsCPUQ9iRxvC JlSMnMg8+Pe1Phb1J06rSMBAxxe34QRjJyJfuf4hrpPf9+t98zKqzW5Vx5pB2Ble yBkPZ7QlWKcAoYkbdPUyaEJA37zUUYrkTDBv1QWAlhLID8AN1y+Nz/yFQLcm5HYB zmdrnwXcq0riTgmPo4s/wQEFG4DIRtptHP6ob8ybX8rHuX8XOBts58DR4IM7gt9T +FH1TnHofPG8i/H6vvsov1vTDlATE5KcYDAbcsY1T5JYlLXGYpIOkmiKqFMjn0+F AJguyHPyf7GhPbB//uvGLT3IvEpCMGMu2vosWuBPLz7XGT3OCM08iXJQXVzzXXbU jVjmcQ63L3kK1kiHnIxz =T6nr -----END PGP SIGNATURE----- -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 14:22:01 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 14:22:01 +0200 Subject: [prelude-user] [ANNOUNCE]: prelude-manager 0.9.15 Message-ID: <1247228521.2517.18.camel@arwen> ??We are pleased to announce the availability of Prelude-Manager 0.9.15. Prelude-Manager is a high availability server that accepts secured connections from distributed sensors or other managers and saves received events to a media specified by the user (database, log files, mail, etc). The server is a high availability server capable of handling large number of connections, and processing large amounts of events. It uses a per client scheduling queues in order to process events by severity fairly across clients. ------[ CHANGES ]------ - Make Prelude-Manager thread backend independant. - Add missing dlpreopening support for the SMTP plugin. - Win32 compilation fixes. - Various fixes and update. ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : 707c8c1be9976ef13748dad680e7724c SHA1 : 3cb906c647d8fbf21671d8e43b30b3244af499b1 SHA256 : 2ee2160e049f99a4ede3a76b1a6872c584f1a2764816394671aa3abd5e711ce2 ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKVy8hAAoJEBHxO34j0vrDPesP/j73UeZHq/u7bYe0O/AWba45 TH+D5AJamkDPldCFCqih8f23EGh/ivQiAmlpwPpTG6mACRjFXJoTYMlBHo3Z+peT bIxd8amQKzM0As4hF8EMPxRtaw+U/RW74Cyl80byZj3vry+gQC0GfYecM5ZO0Thr eqLu7+8wFyRIKK+uWE4OxE1jd1IDj0TNRwhKK1ufXOqtIujtwOIgmkr8+uxNIwnA LQ0zcZRC1QQhZHCgeEWRCfEoFmfsLpr8Y5NpanlQwwlS/K4qHUlRmSraUTSYpqWk ihpbjqkOcPjVFOJxP+MU6XTKSTUaWOr0FuGUMZpzdepi+jHNnnq0CFyVhGr9v97m q8kpRsoIs3sARIV1l1zSodtT8oD44xkA3+HmKm3XWR+Qp/dQgpfZy452wEXQ5lYp E3YviklYAM4WJzz9UYbQnv9IZJOZQUgMV8vd6V3COC5xFlKukaSiYx0uFff3xjpA w70fB/ZrBXUL7iGOcNGSJ3bgXaVnGeesLBot7djlXpxbm6hsAfZoxyylJYsUQ0SE FyJlUG1FAz5fmUDEICxXY3RXpnQGCQb8Uci+/e5pGOigeNDN8RVgOqlfbCeghDxj Pbf8mw6WV2KDAv6zfaepNVx6/SXa/lXg+533xP3Ukne1k1HnqEHjtx0caBsfub5A BQN+1sl+e5xk8MZx4SQ7 =8tVK -----END PGP SIGNATURE----- -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 14:55:28 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 14:55:28 +0200 Subject: [prelude-user] please In-Reply-To: <544023.46049.qm@web27506.mail.ukl.yahoo.com> References: <544023.46049.qm@web27506.mail.ukl.yahoo.com> Message-ID: <1247230528.4750.1.camel@arwen> Hi, Le samedi 13 juin 2009 ? 18:58 +0000, djabas ulrich guilain a ?crit : > hi all > > I do not understand the reason of this error > can to help has to find a means of solving this problem and for the > prelude-manager C the same thing I l' but the system is already to > create my known as that not [...] > [root at localhost ~]# prelude-lml > /etc/prelude-lml/prelude-lml.conf:19: invalid option "listen" in > "global" section. > /etc/prelude-lml/prelude-lml.conf:20: invalid option "listen" in > "global" section. > /etc/prelude-lml/prelude-lml.conf:54: invalid option "file" in > "global" section. [...] I guess your configuration file is missing a configuration section, best way would be to attach your configuration with any private data removed so that we can have a look at it. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 14:58:58 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 14:58:58 +0200 Subject: [prelude-user] prelude In-Reply-To: <9054873a0907020134t1ef7e645pf197e987f7d1765d@mail.gmail.com> References: <9054873a0907020134t1ef7e645pf197e987f7d1765d@mail.gmail.com> Message-ID: <1247230738.4750.4.camel@arwen> Hi, Le jeudi 02 juillet 2009 ? 14:04 +0530, rinku buragohain a ?crit : > [ crit handler event module ] Module log-prelude is compiled without > libprelude, this wont work, reconfigure the whole source and recompile[ crit > mgr module ] Module instance of "lib/nepenthes/logprelude.so" using > configuration "etc/nepenthes/log-prelude.conf" failed to initialize > [ crit mgr module ] ERROR LOADING MODULE lib/nepenthes/logprelude.so: > SHUTTING DOWN > Quit > run is done -1 > i am not getting all this message please help.. This probably mean you didn't enable the Prelude configure switch before compiling Nepenthes. configure --help | grep prelude Should help you finding the parameter to use to enable Prelude support. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:01:42 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:01:42 +0200 Subject: [prelude-user] Problem compiling prelude correlator In-Reply-To: <2ed0cd480905190245u689c6ad6h74a464ebf8c08ed8@mail.gmail.com> References: <2ed0cd480905050756h4a7b691xe09c52203a6d7f54@mail.gmail.com> <1242031869.27525.47.camel@localhost.localdomain> <2ed0cd480905110654v2c20f9bbi49bbb10bc74aab72@mail.gmail.com> <1333be7b0905110704y29ca80aeib72383c32c6b3844@mail.gmail.com> <2ed0cd480905120614l7033526evb55cb399c12b9ba6@mail.gmail.com> <2ed0cd480905130555m7bae29c4y29131ac291841864@mail.gmail.com> <2ed0cd480905190245u689c6ad6h74a464ebf8c08ed8@mail.gmail.com> Message-ID: <1247230902.31201.0.camel@arwen> Hello Mathieu, Le mardi 19 mai 2009 ? 11:45 +0200, Matthieu Audisio a ?crit : > I did not succeded to resolve my problem... Do you think that I should not > have deleted the dschield plugin... ? Your error is due to an update in PreludeEasy bindings naming convention, updating libprelude should solve your problem. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:06:31 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:06:31 +0200 Subject: [prelude-user] Snort ERROR: prelude-client: Unable to initialize prelude client: TLS handshake failed... In-Reply-To: <205ad7060905190845wcf4526an76532435e64f419e@mail.gmail.com> References: <205ad7060905190845wcf4526an76532435e64f419e@mail.gmail.com> Message-ID: <1247231191.31201.5.camel@arwen> Hi Christophe, Le mardi 19 mai 2009 ? 17:45 +0200, christophe taranotte a ?crit : > I build from ports, Prelude and Snort on a FreeBSD 7.2 i386 box. [...] > I added "output alert_prelude" to snort.conf and ran prelude-manager > (--debug-level=10) and snort on the foreground. > > When snort tries to connect to prelude-manager, it returns the following error: > > >>Initializing Network Interface xl0 > >>Decoding Ethernet on interface xl0 > >>19 May 17:13:38 (process:17662) INFO: Connecting to 192.0.0.12:4690 prelude Manager server. > >>ERROR: prelude-client: Unable to initialize prelude client: TLS handshake failed: A TLS packet with unexpected length was received.. > >> > >>In order to register this sensor, please run: > >>prelude-admin register snort "idmef:w" 192.0.0.12 --uid 0 --gid 0 > >> > >>Profile 'snort' does not exist. In order to create it, please run: > >>prelude-admin register "snort" "idmef:w" --uid 0 --gid 0. > >>Fatal Error, Quitting.. > > While prelude-manager dies unexpedently showing no message: > > >>.... > >>19 May 17:13:32 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >>19 May 17:13:33 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >>19 May 17:13:34 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >>19 May 17:13:35 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >>19 May 17:13:36 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >>19 May 17:13:37 (process:17658) DEBUG: woke up 0 timer (prelude-timer.c:146 walk_and_wake_up_timer) > >># Ouch. This look really strange. Libgcrypt is known to exit silently in case of initialization failure, so that might be it. Could you please provide the full output of a prelude-manager session with the following environment variable set (this is trigger earlier than --debug-level=10): LIBPRELUDE_DEBUG=10 prelude-manager [optional arguments] Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:26:41 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:26:41 +0200 Subject: [prelude-user] problems with prelude-manager's idmef-criteria and thresholding In-Reply-To: <49D29D30.8090203@beatport.com> References: <49D29D30.8090203@beatport.com> Message-ID: <1247232401.31201.12.camel@arwen> Hi Ryan, Le mardi 31 mars 2009 ? 16:46 -0600, Ryan Skorstad a ?crit : > I am attempting to configure filters on my incoming events by setting up > idmef-criteria and thresholding in prelude-manager.conf. > > My system is a Fedora 10 x86_64 box running prelude-manager-0.9.14.2-1 > rpms obtained from Fedora Koji. > > Following the documentation here: > > https://trac.prelude-ids.org/wiki/PreludeManager/FilteringPlugins [...] > > When I try to start prelude-manager, I get these errors: > > /etc/prelude-manager/prelude-manager.conf:19: invalid option "seconds" > in "global" section. > /etc/prelude-manager/prelude-manager.conf:20: invalid option "hook" in > "global" section. > > Also, the documentation states that the syntax should be > '[idmef-criteria-filter=bittorrent]' but when I use that I get even more > errors like the ones above. Switching back to '[idmef-criteria]' seems > to make it complain less. > > What am I doing wrong? Am I missing a section definition somewhere? We are at fault here, that part of the documentation was outdated, and reflected the old option name. I updated the documentation which is now available on: https://dev.prelude-ids.com/wiki/prelude/PreludeManagerFilteringPlugins The new way to do what you are trying to achieve is: [thresholding=bittorrent] path = alert.classification.text, lert.target(0).node.address(0).address threshold = 3600 count = 1 hook = db Note that a threshold of 1 look incorrect, threshold usually is used to express somethings like 'forward every tenth event in X seconds to the given plugin', so what you are looking for is probably: [thresholding=bittorrent] path = alert.classification.text, lert.target(0).node.address(0).address limit = 3600 count = 1 hook = db Hope this help, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:32:08 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:32:08 +0200 Subject: [prelude-user] preludedb-admin question In-Reply-To: <6c2174db0906301137w35488080m74d8cf3f6c1d7f7d@mail.gmail.com> References: <6c2174db0906301137w35488080m74d8cf3f6c1d7f7d@mail.gmail.com> Message-ID: <1247232728.31201.15.camel@arwen> Hi, Le mardi 30 juin 2009 ? 15:37 -0300, Varejante Solphins a ?crit : > Is it possible to format the return value from a preludedb-admin query? I > want to print all classification.alert.text from my database: > > root at prelude# preludedb-admin print alert "type=mysql name=prelude user=root > pass=root" --criteria "alert.create_time > "30-06-09" && > alert.classification.text == '%a%'" > > The documentation show only few examples. This is not possible at the moment, although you could easily format preludedb-admin output using grep/sed tools or alike. Additionally, do not hesitate to provides us with concrete use cases that would justify implementing this feature! Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:36:52 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:36:52 +0200 Subject: [prelude-user] ossec and prelude In-Reply-To: <1244777845.6260.2.camel@love-laptop> References: <1244118067.6314.26.camel@love-laptop> <1244449884.5294.9.camel@arwen> <1244523617.6395.6.camel@love-laptop> <1244709133.24813.8.camel@arwen> <1244777845.6260.2.camel@love-laptop> Message-ID: <1247233013.31201.18.camel@arwen> Le vendredi 12 juin 2009 ? 09:07 +0530, lovewadhwa a ?crit : > On machine running ossec libprelude version is 0.9.13 and the one > running prelude-manager is 0.9.22 > > Any fight bcoz of different versions being run ? The version difference should not matter, at least it should not result in a segmentation fault. Could you run prelude-admin (on the prelude-manager side) under gdb and valgrind, and provide the complete output so that we can get an idea where the problem is ? If you need help tracking the issue, don't hesitate to drop me a line on irc.freenode.net, #prelude Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 15:39:23 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:39:23 +0200 Subject: [prelude-user] smtp with SSL with the smtp reporting plugin ? In-Reply-To: References: Message-ID: <1247233169.31201.21.camel@arwen> Hi, Le jeudi 26 mars 2009 ? 10:03 +0100, neorom a ?crit : > I would like to know if it's possible to configure the reporting smtp > plugin in prelude manager with ssl configuration and authentication. > If it's possible would you please give me the command lines to put in > the configuration bellow. SSL is not implemented at the moment. You might open a feature request on https://dev.prelude-ids.com, if you wish that this feature get implemented. In the meantime, you can configure the SMTP plugin so that events are sent to a local MTA, and configure this local MTA so that it relay your message to the main MTA using SSL. Regards, -- Yoann Vandoorselaere From robert.vineyard at oit.gatech.edu Fri Jul 10 15:08:29 2009 From: robert.vineyard at oit.gatech.edu (Robert Vineyard) Date: Fri, 10 Jul 2009 09:08:29 -0400 Subject: [prelude-user] Bro-IDS support in Prelude? Message-ID: <4A573D4D.2030003@oit.gatech.edu> Has anyone tried integrating a Bro-IDS sensor with Prelude? I have not been able to find native support on either side, but it seems like it would be possible either using the Prelude-LML to parse the Bro logs or to have Bro call a script that would generate an event within Prelude. I'm not opposed to writing the code myself, but I wanted to see if anyone was aware of an existing project to bridge these two applications. Thanks! -- [ Robert Vineyard | RHCE, Security+ ] [ robert.vineyard at oit.gatech.edu ] [ Information Security Engineer III ] [ 404.385.6900 | FAX 404.894.4690 ] [Finding a needle in a haystack isn't hard when every straw is computerized] From yoann.v at prelude-ids.com Fri Jul 10 15:48:32 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:48:32 +0200 Subject: [prelude-user] Prelude-lml sensor In-Reply-To: <27568B750F11034C9169DCA861610E630590166D@IBSW007CM.lutech.lan> References: <27568B750F11034C9169DCA861610E630590166D@IBSW007CM.lutech.lan> Message-ID: <1247233712.31201.30.camel@arwen> Hi Matteo, Le mercredi 25 mars 2009 ? 12:45 +0100, Matteo Michelini a ?crit : > I'm trying to configure prelude-lml sensor but I'm wondering what's the > meaning of prefix-regex into the prelude-lml.conf file. > > I thought that prefix-regex was used to match the first part of the log > trail and then the trails not-filtered by this regex were redirected to > the specific *.rules under ruleset/. > > But prefix-regex doesn't filter anything.... So I cannot imagine what's > its purpose. You are correct: prefix-regex won't filter out unmatched lines, this is a security feature so that unmatched events will still go through Prelude-LML signature and get analyzed. The point of prefix regex is to retrieve some common information from the log's header, like the hostname, the process PID or name. Reading the example you provided, it's not clear exactly what you were trying to achieve. Could you provide us more details about that? [...] Regards, -- Yoann Vandoorselaere From sgrubb at redhat.com Fri Jul 10 15:41:10 2009 From: sgrubb at redhat.com (Steve Grubb) Date: Fri, 10 Jul 2009 09:41:10 -0400 Subject: [prelude-user] Bro-IDS support in Prelude? In-Reply-To: <4A573D4D.2030003@oit.gatech.edu> References: <4A573D4D.2030003@oit.gatech.edu> Message-ID: <200907100941.10486.sgrubb@redhat.com> On Friday 10 July 2009 09:08:29 am Robert Vineyard wrote: > Has anyone tried integrating a Bro-IDS sensor with Prelude? I have not been > able to find native support on either side, but it seems like it would be > possible either using the Prelude-LML to parse the Bro logs or to have Bro > call a script that would generate an event within Prelude. I'm not opposed > to writing the code myself, but I wanted to see if anyone was aware of an > existing project to bridge these two applications. We have been looking at adding libprelude linking to BroIDS so that it can send events directly. Currently its designed to link against what appears to be an old and unmaintained IDMEF library. We haven't completed the work yet, but we want to get that connection. -Steve From yoann.v at prelude-ids.com Fri Jul 10 15:56:05 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 15:56:05 +0200 Subject: [prelude-user] prelude-lml and syslog message over the network In-Reply-To: <20090316154408.GA27580@vanja.com> References: <20090316154408.GA27580@vanja.com> Message-ID: <1247234165.31201.37.camel@arwen> Hi, Le lundi 16 mars 2009 ? 16:44 +0100, x25 at pobox.com a ?crit : > I am setting up PreludeIDS, and I am having a bit of a trouble with prelude-lml, on CentOS. > > Basically, I have initially set syslog to accept messages over the network and log them into files. However, because > there is quite a lot of syslog traffic, I wanted to setup prelude-lml as a listener, so that I can only accept+log > (into prelude db) events that I need. > > Problem that I have is: > > 16 Mar 11:04:20 (process:8776) WARNING: no appropriate format defined for log entry: 'sshd[24034]: > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.18.100.1 user=root > > Trouble is that this message doesn't have timestamp and hostname, which are fields defined in syslog format. That's an interesting log entry, where is this coming from? > I have > tried defining 'custom' format, without timestamp/hostname, but then entries show up (in prewikka) with > 'destination' of 127.0.0.1. > > What is the proper way to handle a case like this? Unfortunately, none at the moment. The problem is that Prelude-LML won't rely on the sender IP address, since the message might have been relayed from yet another machine. I agree it would be nice to have this behavior as an option through... You might want to open a feature request on https://dev.prelude-ids.com if you are interested. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 16:10:12 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 16:10:12 +0200 Subject: [prelude-user] Reverse Relaying with filter In-Reply-To: <414ccf7b0902151016y1e1eb5f5m69ebf49ceb4946ae@mail.gmail.com> References: <414ccf7b0902151016y1e1eb5f5m69ebf49ceb4946ae@mail.gmail.com> Message-ID: <1247235012.31201.48.camel@arwen> Hi, Le dimanche 15 f?vrier 2009 ? 19:16 +0100, China a ?crit : > I've tried to make the following architecture: > > * Computer A: PC located in DMZ with a web server, prelude-lml, > prelude-correlator and prelude-manager1 > > * Computer B: PC located in internal LAN with prelude-manager2 and prewikka > > The target is: > > 1.prelude-lml sends events to prelude manager1 (PC A), that sends events to > prelude-correlator. > 2.prelude-correlator create correlated event and sends it to > prelude-manager1 (PC A). > 3.prelude-manager2 (PC B) pull only correlated events from prelude-manager1 > (PC A). > > I was not able to achieve this architecture with a IDMEF Criteria on > reverse-relaying: > > rule = alert.correlation_alert.name > hook = reverse-relaying > > It doesn't have filtered the non-correlated events (and I've tried to put it > on both PC A and PC B). > It's not possible what I've tried to do? Why exist the reverse-relaying > hook? It should have filtered out non correlated alert, but it's not possible since you are going to hit another problem anyway: prelude-correlator also pull alert from Prelude-Manager, and is going to be impacted by the reverse-relaying filter: using such a filter, prelude-correlator wouldn't get any events anymore. The solution would be to develop a finer grained reverse-relaying hook that would allow you to plug to a predefined analyzerid: hook = reverse-relaying[analyzerid] This is not implemented at the moment, so do not hesitate to open a feature request on https://dev.prelude-ids.com if you'd like to see that implemented. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 16:12:45 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 16:12:45 +0200 Subject: [prelude-user] [Fwd: prewikka not showing target] In-Reply-To: <496DEE3D.7060702@unixcluster.dk> References: <496DEE3D.7060702@unixcluster.dk> Message-ID: <1247235165.31201.49.camel@arwen> Hi, Le mercredi 14 janvier 2009 ? 14:53 +0100, jkv a ?crit : > Any hits why prewikka dont show target address? > In the attached screenshots all alerts have the same target, prewikka > correlates the alerts, but dont show the target addresses, even thou its > all my alerts have the same ip address, if i click on one of the grouped > (correlated) alerts it shows the ip allright. This look like a bug, can you reproduce it with latest Prewikka version? Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 16:18:05 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 16:18:05 +0200 Subject: [prelude-user] "prelude-admin list" segfault due to an uninitialized lock In-Reply-To: References: Message-ID: <1247235485.31201.52.camel@arwen> Hi, Le mercredi 10 d?cembre 2008 ? 11:25 +0100, Rumko a ?crit : > calling "prelude-admin list" results in a segfault ... > > the problem is line 518 in prelude-client-profile.c ... it tries to > lock "lock", but the problem is that variable is null, so phtread_mutex_lock > (from what i was able to find out, I believe it should be calling that > function) returns EINVAL ... who should have initialized the lock or where > should the lock have been initialized? main() in prelude-admin, prelude_init() > perhaps? > I'm new to prelude's source code so it's a tad more difficult for me to locate > the problem without additional directions. > > GDB backtrace: > Starting > program: /usr/obj/pkgsrc/security/libprelude/work/libprelude-0.9.21.3/prelude-admin/.libs/lt-prelude-admin > list [...] > some more info from GDB: > Breakpoint 2, prelude_client_profile_get_profile_dirname (cp=0x0, > buf=0xbfbfe2d4 "", size=1024) at prelude-client-profile.c:509 > 509 const char *prefix, *name_sep = "", *name = ""; > (gdb) s > 511 prelude_return_if_fail(buf); > (gdb) s > 513 if ( cp && cp->name ) { > (gdb) s > 518 gl_lock_lock(lock); > (gdb) print lock > $1 = (gl_lock_t) 0x0 > (gdb) s > _pthread_fake_inval () at /usr/src/lib/libc/../libc/gen/pthread_fake.c:163 > 163 } This is most probably due to a GnuLib glthread implementation issue on this specific platform. In order to make sure the problem is not fixed already, could you try to reproduce this issue with libprelude 0.9.24? Thanks, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Fri Jul 10 16:21:46 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Fri, 10 Jul 2009 16:21:46 +0200 Subject: [prelude-user] sending snoopy log to prewikka In-Reply-To: <096698C7360C5B4583FB633B4F01F7AF04316B53@imax-exchange.intermax.local> References: <096698C7360C5B4583FB633B4F01F7AF04316B53@imax-exchange.intermax.local> Message-ID: <1247235706.31201.56.camel@arwen> Hi, Le lundi 16 mars 2009 ? 15:28 +0100, Niek Timmers a ?crit : > I'm figuring out how I can send the log of snoopylogger (logs to syslog) > to my prelude manager server so it will show up un prewikka. I think > this can be done with prelude-lml but I'm not sure how I can achieve > this. I tried some stuff, this is what I came up with: [...] > My guess is I need to build some pcre rules for the prelude-lml plugin > but I'm not sure. Somebody can point me in the right direction of maybe > have experience with getting snoopylogger logs in prewikka? You are correct, you now need to write a signature that will be able to take care of Snoopylogger input, and translate it to a Prelude events. Do not hesitate to provide us with a bunch of Snoopylogger logs samples, so that we can help in writing the signatures. Regards, -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Mon Jul 13 12:14:49 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Mon, 13 Jul 2009 12:14:49 +0200 Subject: [prelude-user] [prelude-announce] [ANNOUNCE]: libpreludedb 0.9.15.2 Message-ID: <1247480089.25062.1.camel@arwen> We are pleased to announce the availability of libpreludedb 0.9.15.2. The PreludeDB Library provides an abstraction layer upon the type and the format of the database used to store IDMEF alerts. It allows developers to use the Prelude IDMEF database easily and efficiently without worrying about SQL, and to access the database independently of the type/format of the database. ------[ CHANGES ]------ - Fix regression introduced in libpreludedb 0.9.15: libpreludedb-config --plugin-dir would return incorrect result. - Improve mysql, postgresql, and sqlite3 detection method, should work on 64 bits architecture, and make it easy to cross compile. - Minor fixes. ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : ff3ed03dcb64a418f4c362a9bf86099b SHA1 : 229dae77f5510bc63a470b5b67e1cb4db3019ff5 SHA256 : eb97c7805bdd09be39ef833ca367f515cb348cbea11bb8ba746d1e932f184d96 ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKWwbOAAoJEBHxO34j0vrDX3MQAIvF2JCaFGrnTeHn7PHRpqu9 NkNqGjwIZ6vuyyD3qOmLFC0KFPXRaVQllfaxZWfsTH7maAvD78f8gmRzFa1VBqwv EYa+aJuC5tQRI+Y/NziproDlEcp61XFF1BoZRs+5E8L7NEqTpBYgEWH1H6JOqtRx kgWdyASuj6vhyWd8p7lUH9y31902XIKge9L2cPR759TEOJvpx8hLTw1SL8nORdnP 1/N4ITPJJh43+4En1/+HxGAFBe+4oGKK52cSwgnrjmDnDMC61ERI7BT6u4OF+IQu 9HZrBrzwUOp80kChBwwN5TwQpnf7+2T0IZtV6h+Xqf6GsUS507LC6zo39nUtQx7+ ytc7rIVzFZ2jo3KtZsp3EhRjDwrI8mxQhNHmFswfRYnPG09qfjo3R7NGcWPghdmP eJjc6vlQTgEHMmNy5n2JSFXrO+FTia/G1KrOSZrgYG3XwBUQp6kMOJtBpW6sqkWT EaTUvSghzhh+DD+Gn4ga3ZGrAyHmRib5SuAmLvTj6MkvJ9mDiEPuvnrygTF3T8jL nX9dFhcP6U6E9FByh9LKKtXkpDSGlRfrjZtH8wpDjS8rW52JWyIzgLiqsbjTrMEd SkGKdb10Zjvptxzln5nRw4KliuCo9T5mIgrXkP50XyDDI6iuDyZfsOPEu849UXl8 3CZUxtKKUsTAGWwAg65U =itkZ -----END PGP SIGNATURE----- -- Yoann Vandoorselaere From yoann.v at prelude-ids.com Thu Jul 16 15:57:18 2009 From: yoann.v at prelude-ids.com (Yoann Vandoorselaere) Date: Thu, 16 Jul 2009 15:57:18 +0200 Subject: [prelude-user] [prelude-announce] [ANNOUNCE]: prelude-lml 0.9.15 Message-ID: <1247752639.8088.17.camel@arwen> ?We are pleased to announce the availability of Prelude-LML 0.9.15. Prelude-LML is a signature based log analyzer monitoring logfile and received syslog messages for suspicious activity. It handle events generated by a large set of components, including but not limited to: BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso, Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry, Postfix, Proftpd, ssh, etc. ------[ CHANGES ]------ - Make the Prelude-LML UDP server IPv6 compatible. - Implement 'idmef-alter' and 'idmef-alter-force' option, alloing to include static values into IDMEF events generated using a given format. - New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin , with slight modification from Pierre Chifflier . Close #340. - Fix CISCO VPN ruleset so that the 'Authentication rejected' rule will trigger even if the 'server' field does not contain a word (fix #328). - Remove dos-style end-of-lines (Closes #338) - Fixes possible off by one when parsing variable reference number, and remove un-needed check that would always evaluate to TRUE.Thanks Steve Grubb for reporting this problem (and running flexelint on the Prelude sources)! - Update for libtool 2.x compatibility. - This simplify the whole regular expression handling a lot, making the code much easier to read, and fixing potential problem with ovector assignement. This code should also improve performance by a small factor. - Change CISCO references urls to their new location, add CISCO ASA rule to handle discarded tcp or udp packets. - Various fixes and update. ------[ SUPPORT ] ------ Improving Prelude is costly, but you can help! We are looking for organizations that find Prelude useful and wish to contribute back. Commercial support contracts for Prelude are available, and they help finance continued maintenance. PreludeIDS Technologies, a privately held company, is currently funding Prelude maintenance. ------[ DOWNLOAD ]------ http://www.prelude-ids.com/development/download/ ------[ CHECKSUM ]------ MD5 : 7a2921fa737df2605f739ce734c14c2c SHA1 : 96f2f0d029dd75ca047bc0839f14418ddc1b5975 SHA256 : b326bbbff3f0873a79e26067a08cc4f77fcccffae99c86c497798b4b0e145d26 ------[ OpenPGP key ]------ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x23D2FAC3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKXy/NAAoJEBHxO34j0vrDne8QAIBhHiBUG4nXAywxCMSQ5XQ2 PBo9yqFA1MbZcCe0oyQzdC2Bc6qnT5ObUNsL8ulatzhZ0zpv20qGrjPXJvJ3uHKA iDoiJjDxr4ESYuK2T28Fg3tsJMdQvelg2ITeZnt8WX7jKYgonELhHKzVp6xZCB0m Pz6v/uzRsJG4oQHiUcmAFDYp9gkyC4lEaoZ0ZNr5AcVah2RpnDIyGWbeMIcOKBDH 8yFhxSfSZoTfb7r2czeFr2IHQ8afUxdAS2Gdc29IXgfE2LeRnBpmGDBNI3wqLY+c 5HislA7oVnjwBigxZFW8ahg4uJSYveskoyEgV7qeRBwVixg+80sji7T6ADvdxPQ3 8A1keDmgez7ZXUdiC4HbFmpiXgKdWtlRShRR/e24/ziTsdsgYgevZu9DGFPvFBM+ xS4HgjuAugdom/I0r/skIfKNmIY3jeuHQ8KG3nYmJKaW7Meh5ajvfZCxYClv24SF 9EZKsfc5sQZhOaNSO492ebtL077MijQ2qIbEcmnCBBLwB5ucB4Z3klcugR6vViRw RBuQP5Z2MaY1qaZjEhzaQOb5Jy20IB8jYlcFJFgJsVrhfZcR4JG7+qI4fl3imYcA UrhYzV8mbjGM2+Bf4nDwSJOUBcbj103hbFYbzSTOjht8OYMnHJbWvsQMNcVgxi1s FuU2SeWZz0Wkg+ffK7Xb =SowH -----END PGP SIGNATURE----- -- Yoann Vandoorselaere | Directeur Technique/CTO | PreludeIDS Technologies Tel: +33 (0)8 70 70 21 58 Fax: +33(0)4 78 42 21 58 http://www.prelude-ids.com From doug2die4 at gmail.com Wed Jul 22 21:36:40 2009 From: doug2die4 at gmail.com (Doug2die4) Date: Wed, 22 Jul 2009 15:36:40 -0400 Subject: [prelude-user] Libprelude installation on WINDOWS Message-ID: <7e42d170907221236m7330482bg11800fe0c1b95259@mail.gmail.com> Hi all, I'm currentlu trying to install libprelude on a Windows server 2k3 and I'm having some trouble. Would like to know if someone has already done it and what should be done from scratch. In my own I've installed the libprelude-prelude-0.9.23.win32-py2.5.exe and libprelude-0.9.23.exe but nothing else. Now, when I tried to start prelude-admin, I got libdl.dll missing but I can't figure out what it should get it and what I need to do next. I haven't seen either any documentation on how to install it and a Windows server. If anyone can help me that would be fine. Thx all Doug From doug2die4 at kadx.org Wed Jul 22 21:56:14 2009 From: doug2die4 at kadx.org (Doug) Date: Wed, 22 Jul 2009 15:56:14 -0400 Subject: [prelude-user] Libprelude installation on WINDOWS In-Reply-To: <7e42d170907221236m7330482bg11800fe0c1b95259@mail.gmail.com> References: <7e42d170907221236m7330482bg11800fe0c1b95259@mail.gmail.com> Message-ID: <7e42d170907221256j1d7907d5y511658e13e138708@mail.gmail.com> Hi all, I'm currentlu trying to install libprelude on a Windows server 2k3 and I'm having some trouble. Would like to know if someone has already done it and what should be done from scratch. In my own I've installed the libprelude-prelude-0.9.23.win32-py2.5.exe and libprelude-0.9.23.exe but nothing else. Now, when I tried to start prelude-admin, I got libdl.dll missing but I can't figure out what it should get it and what I need to do next. I haven't seen either any documentation on how to install it and a Windows server. If anyone can help me that would be fine. Thx all Doug From ry209 at rz.uni-karlsruhe.de Sun Jul 26 16:18:39 2009 From: ry209 at rz.uni-karlsruhe.de (Arthur Fink) Date: Sun, 26 Jul 2009 16:18:39 +0200 Subject: [prelude-user] sirios Message-ID: <4A6C65BF.1020909@rz.uni-karlsruhe.de> Hi, I want to send the correlated alerts into the sirios ticket system via email. Has someone already tried that or knows where to look for the necessary options in prelude ? http://www.sirios.org/ Thanks, Arthur From prmarino1 at gmail.com Sun Jul 26 19:59:00 2009 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Sun, 26 Jul 2009 13:59:00 -0400 Subject: [prelude-user] sirios Message-ID: <4a6c99fd.27b38c0a.2b0f.ffffdef7@mx.google.com> well serios if I remember correctly is a sub-project of otrs that has some added features. so this should be fairly easy all you need is the email plugin. The tricky part is going to be geting the filters to capture the alerts you want right. Also you may want to configure an auto ticket agent or an email allias linked to a specific queue in sirios to handle the setting the preferences so that when the tickets are created and modified it won't try to send update emails to the ticket creator. -----Original Message----- From: Arthur Fink Subj: [prelude-user] sirios Date: Sun Jul 26, 2009 10:18 am Size: 376 bytes To: prelude-user at prelude-ids.org Hi, I want to send the correlated alerts into the sirios ticket system via email. Has someone already tried that or knows where to look for the necessary options in prelude ? http://www.sirios.org/ Thanks, Arthur _______________________________________________ Prelude-user site list Prelude-user at prelude-ids.org http://lists.prelude-ids.org/mailman/listinfo/prelude-user From ry209 at rz.uni-karlsruhe.de Mon Jul 27 16:28:34 2009 From: ry209 at rz.uni-karlsruhe.de (Arthur Fink) Date: Mon, 27 Jul 2009 16:28:34 +0200 Subject: [prelude-user] sirios In-Reply-To: <4a6c99fd.27b38c0a.2b0f.ffffdef7@mx.google.com> References: <4a6c99fd.27b38c0a.2b0f.ffffdef7@mx.google.com> Message-ID: <4A6DB992.7030106@rz.uni-karlsruhe.de> I found the output plugins section after I read you reply. I guess it should be easy to get it running then. Thanks, Arthur Paul Robert Marino wrote: > well serios if I remember correctly is a sub-project of otrs that has some added features. so this should be fairly easy all you need is the email plugin. The tricky part is going to be geting the filters to capture the alerts you want right. Also you may want to configure an auto ticket agent or an email allias linked to a specific queue in sirios to handle the setting the preferences so that when the tickets are created and modified it won't try to send update emails to the ticket creator. > -----Original Message----- > > From: Arthur Fink > Subj: [prelude-user] sirios > Date: Sun Jul 26, 2009 10:18 am > Size: 376 bytes > To: prelude-user at prelude-ids.org > > Hi, > > I want to send the correlated alerts into the sirios ticket system via > email. > > Has someone already tried that or knows where to look for the necessary > options in prelude ? > > http://www.sirios.org/ > > Thanks, Arthur > > _______________________________________________ > Prelude-user site list > Prelude-user at prelude-ids.org > http://lists.prelude-ids.org/mailman/listinfo/prelude-user > >