[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-devel
Subject:    Re: [prelude-devel] [PATCH] prelude plugin for specter
From:       Yoann Vandoorselaere <yoann.v () prelude-ids ! com>
Date:       2006-09-19 11:26:18
Message-ID: 1158665178.13002.26.camel () arwen
[Download RAW message or body]

Hi Maik,


It is really nice to see a Prelude output module being implemented for
Specter. Thanks for your interest in supporting the Prelude system!


On Fri, 2006-09-15 at 11:55 +0200, Maik Hentsche wrote:
> I'm currently working on getting firewall (netfilter/iptables)
> logmessages into prelude. For this is wrote a plugin for specter
> (http://joker.linuxstuff.pl/specter/), a daemon, that handles logging
> through the ULOG target (as ulogd does, if anyone knows that). This
> plugin is not yet finished, but it reached a stable state, where I feel
> stuck a little. I send this patch in hope, someone will try it out and
> send me usefull comments. Main goal is to have specter_PRELUDE log
> everything syslog log (dest IP, source IP, ports, flags, ...). I'm not
> sure, if the classification of this data into IDMEF is appropriate in
> every case, so positive and negative comments on this are welcome too.

Use AdditionalData element for any data you don't know where to store.
If the data can fit in another more specific IDMEF object, we'll point
it out.

All information available from the Specter report should be available
from the IDMEF alert.

[...]

> I hope to hear of you, thanks to everyone, who tests my code.

I'd suggest sending your request to both prelude-user and Specter
mailing list to get a wider audience.


* Some comments, from a quick look at the code:

The AM_PATH_LIBPRELUDE macro provided by libprelude.m4 should be used in
order to detect the libprelude library.

Make sure to check the return value of idmef_path_set() and print an
error if there is a problem.

In fini_prelude() you use PRELUDE_CLIENT_EXIT_STATUS_SUCCESS as the exit
status. However, only application that are not running permanently
should use this status. Other application should always be online, and
failure to be online shall be considered as a problem. Since I guess
Specter is such an application, it should probably use the
PRELUDE_CLIENT_EXIT_STATUS_FAILURE status.

Rather than converting the enumeration value to an integer, use their
string equivalent. For example, use "ipv4-addr" rather than
IDMEF_ADDRESS_CATEGORY_IPV4_ADDR.

I don't see any initialization of the Analyzer object for Specter. I'd
suggest that you look at Prelude-LML (lml-alert.c) to see how
initialization of this object is done.

In order to check that the generated alerts are correct, I'd suggest to
run prelude-manager with the Xmlmod plugin loaded, with DTD validation
enabled. 

Once the above is done and you have no validation error, I would suggest
that you provide some sample alert output from the Prelude-Manager Debug
plugin so that we can review them.

Regards,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
http://www.prelude-ids.com


[prev in list] [next in list] [prev in thread] [next in thread]