-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathREADME
210 lines (131 loc) · 6.14 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
Prelude Library (https://www.prelude-siem.org)
The Prelude Library is brought to you by CS GROUP (http://www.csgroup.eu).
Prelude Library Overview
========================
The Prelude Library is used to make sensor developers' life better by
providing features used by every sensor:
- Manager(s) Connection management (with fallback in case all
configured Managers are down, and automatic reconnection).
- Interface to communicate with the Prelude Manager.
- Asynchronous Message interface (allowing sensor to emit message
without blocking, even if there is latency on the wire).
- Asynchronous timer interface.
- Generic configuration API, providing a generic abstraction for
command-line, configuration file option, and wide option support.
- Wide option managment allowing sensor-exported options to be directly
accessible from the Manager administrative console.
- Generic plugin API.
Prelude Communication
=====================
Prelude SIEM uses unique optimized implementation of the XML based IDMEF
message format to transmit alerts between the sensors and the manager
and between managers.
Using IDMEF, Prelude provides a generic method for virtually any type
of sensors to describe precisely the content of an alert.
Dependencies
============
For Redhat based systems (CentOS, Fedora, etc.)
Minimal : groupinstall "Development tools"
gnutls-devel libtool-ltdl-devel
Autogenerated files: swig bison flex
Documentation : gtk-doc
Perl Binding : perl perl-devel
Python 2 Binding : python-devel
Python 3 Bindings : python34-devel
LUA Binding : lua lua-devel
Ruby Binding : ruby ruby-devel
PCRE support : pcre-devel
For Debian systems
Minimal : build-essential libtool autoconf
gnutls-dev pkg-config
Autogenerated files: swig bison flex
Documentation : gtk-doc-tools libglib2.0-dev
Perl Binding : perl
Python 2 Binding : python-dev
Python 3 Binding : python3-dev
Ruby Binding : ruby ruby-dev
LUA 5.1 Binding : lua5.1 liblua5.1-dev
LUA 5.2 Binding : lua5.2 liblua5.2-dev
PCRE support : libpcre3-dev
IRC
===
If there's something you just can't find out elsewhere, you want to
give feedback directly to the authors or you're just bored, visit
#prelude on irc.freenode.net
Get Support
===========
Prelude-user forums can be accessed at:
https://www.prelude-siem.org/projects/prelude/boards
Old mailing lists can be accessed at:
http://news.gmane.org/gmane.comp.security.ids.prelude.user
news://news.gmane.org/gmane.comp.security.ids.prelude.user
Commercial Support is available through the CS company:
https://www.prelude-siem.com, [email protected]
Help development
================
1. SUBMITTING PATCHES
The Prelude source is constantly changing. If you want to submit a patch,
please do so from the most recent GIT source tree, subscribe to the
prelude-devel forum and post your patch with a description of functionality.
You can also attach patches to bugs on
https://www.prelude-siem.org
2. BUGS
If you find any bugs, please report them to:
https://www.prelude-siem.org
Please make sure that what you're reporting is actually a BUG and not
a problem on your side.
3. SUGGESTIONS
Subscribe to prelude-devel and give us your suggestions.
How to install the Prelude Library
==================================
1. Prelude Library installation
If you don't want to build the Prelude Library yourself, you can get
prebuild rpm and debian packages at https://www.prelude-siem.org.
If you want to build Prelude, unpack the tarball and cd into the
newly created directory. Then type :
./configure
make
If everything works, su to root and type:
make install
2. Generic sensor installation
First, all sensors get some generic configuration files, installed in:
- $prefix/etc/prelude/default/idmef-client.conf [specific to sensor]
- $prefix/etc/prelude/default/global.conf [used by sensor and manager]
These files contain entries that *may* be shared between several sensors.
If a sensor provides the same entry in its own configuration file,
then the sensor will by default use its own entry.
Example of a shared entry (in the default provided generic sensor
configuration file) is :
server-addr = 127.0.0.1:4690 || x.x.x.x;
Which tells the sensor to try to connect to both 127.0.0.1:4690
and x.x.x.x:4690. If both connections work, only the first will be used,
but the contrary would happen if you were to use :
server-addr = 127.0.0.1:4690 && x.x.x.x;
Which mean that both connections should be okay for a sensor message to
be considered to be successfully sent.
When linked against the Prelude Library, the sensors should be registered
in order to setup the sensor for the first time.
If you start a sensor without registering it, it'll print out a message
like :
"
Profile 'prelude-lml' does not exist. In order to create it, please run:
prelude-admin register "prelude-lml" "idmef:w" <manager address> --uid 0 --gid 0
"
Starting this program with the sensor provided arguments will start
the registration procedure for this sensor.
The prelude-admin program will ask you to start the prelude-admin program
on the Manager host:
"
You now need to start "prelude-admin" on the server host where
you need to register to:
use: "prelude-admin registration-server <analyzer-name>"
"
"analyzer-name" should be substituted by the name of your Manager
(prelude-manager is the default, unless you provided a customized
analyzer-name option on the prelude-manager command line, or in its
configuration file).
The manager host prelude-admin program will provide you a randomly
generated password to be used when sensor side prelude-admin requests it.
The prelude-admin program will then ask you several questions, and it will
connect to the manager prelude-admin program. If authentication is okay,
the sensors and the Manager will be able to exchange their certificates.