[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] Ossec as a prelude analyzer patch
Hello people,
The attached patch (upon cvs head) makes OSSEC being a Prelude IDS
(http://www.prelude-ids.org) sensor.
(It is a set of three files: the patch from cvs diff and prelude.{c,h}
which for random reasons wasn't in my diff despite a cvs add).
Prelude IDS is a hybrid IDS, that provides richer capabilities to
existing sensors :
- Unified and modular framework (see
http://www.wallinfire.net/files/prelude-userarch.png)
- Graphical interface with filtering capabilities
- Alerts correlation (prelude-correlator)
- Notification (http://www.wallinfire.net/brouette/,
http://www.gscore.org/blog/index.php/post/2007/03/27/New-brouette-theme)
- IDMEF compliant (For a short introduction, see
http://www.gscore.org/blog/index.php/post/2007/08/13/IDMEF-for-dummies-part-1)
- ...
The idea is to have OSSEC being able to work with the Prelude Framework
to do the job it is good at, namely HIDS.
If you want to start with the OSSEC and Prelude IDS integration, please
read the Prelude Handbook:
https://trac.prelude-ids.org/wiki/PreludeHandbook
To register your OSSEC sensor, keep in mind that the Prelude is ported
to the analysis part of the code. Since the Analysis part is running as
ossec user, you must register your sensor as the ossec user.
On my machine, I had to do:
prelude-adduser register ossec "idmef:w" localhost --uid 1007 --gid 1007
and:
prelude-admin registration-server prelude-manager
And that all! You can then see OSSEC alerts in the Prewikka GUI.
As usual, feedback appreciated ;-) enjoy!
Sebastien.
? bin
? ossec-prelude.0.patch
? ossec-prelude.1.patch
? src/Config.OS
? src/addagent/manage_agents
? src/analysisd/ossec-analysisd
? src/client-agent/ossec-agentd
? src/headers/zconf.h
? src/headers/zlib.h
? src/logcollector/ossec-logcollector
? src/monitord/ossec-monitord
? src/os_dbd/ossec-dbd
? src/os_execd/ossec-execd
? src/os_maild/ossec-maild
? src/remoted/ossec-remoted
? src/syscheckd/ossec-syscheckd
? src/util/clear_stats
? src/util/list_agents
? src/util/syscheck_update
Index: etc/templates/en/messages.txt
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/templates/en/messages.txt,v
retrieving revision 1.18
diff -r1.18 messages.txt
106a107,109
>
> # Prelude
> preludeenable="Do you want to enable Prelude IDS (www.prelude-ids.org) support ?"
Index: src/LOCATION
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/LOCATION,v
retrieving revision 1.2
diff -r1.2 LOCATION
1c1
< DIR="/var/ossec"
---
> DIR="/opt/ossec"
Index: src/analysisd/Makefile
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/Makefile,v
retrieving revision 1.7
diff -r1.7 Makefile
10c10
< LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c ${OS_CONFIG}
---
> LOCAL= analysisd.c stats.c rules.c rules_list.c config.c fts.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c prelude.c ${OS_CONFIG}
13a14,16
> CFLAGS+=`libprelude-config --cflags` -DPRELUDE
> LIBS+=`libprelude-config --libs`
>
21c24
< $(CC) $(CFLAGS) -I./ ${loga_OBJS} -o ${NAME}
---
> $(CC) $(CFLAGS) -I./ ${loga_OBJS} -o ${NAME} ${LIBS}
Index: src/analysisd/analysisd.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/analysisd/analysisd.c,v
retrieving revision 1.121
diff -r1.121 analysisd.c
46a47,49
> #ifdef PRELUDE
> #include "prelude.h"
> #endif
113a117,119
> #ifdef PRELUDE
> static prelude_client_t *client;
> #endif
126a133
>
183a191,193
> #ifdef PRELUDE
> client = prelude_start(argc, argv);
> #endif
403a414,416
> #ifdef PRELUDE
> prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
> #endif
422c435,441
<
---
>
> #ifdef PRELUDE
> /* Prelude things */
> idmef_message_t *idmef;
> int ret;
> #endif
>
881a901,945
>
> #ifdef PRELUDE
> /* Generate prelude alert */
> ret = idmef_message_new(&idmef);
> if ( ret < 0 ) {
> verbose("Cannot create IDMEF message");
> return;
> }
>
> add_idmef_object(idmef, "alert.assessment.impact.description", lf->generated_rule->info);
> add_idmef_object(idmef, "alert.assessment.impact.severity",
> ossec_level_to_impact_severity(lf->generated_rule->level));
> add_idmef_object(idmef, "alert.assessment.impact.completion", "succeeded");
> add_idmef_object(idmef, "alert.classification.text", lf->generated_rule->comment);
>
> add_idmef_object(idmef, "alert.source(0).Spoofed", "no");
> add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", lf->srcip);
> add_idmef_object(idmef, "alert.target(0).Service.name", lf->program_name);
> add_idmef_object(idmef, "alert.source(0).Service.port", lf->srcport);
> add_idmef_object(idmef, "alert.source(0).User.UserId(0).name", lf->srcuser);
>
> add_idmef_object(idmef, "alert.target(0).Spoofed", "no");
> add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", lf->dstip);
> add_idmef_object(idmef, "alert.target(0).Service.name", lf->hostname);
> add_idmef_object(idmef, "alert.target(0).Service.port", lf->dstport);
> add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf->dstuser);
>
> add_idmef_object(idmef, "alert.additional_data(1).type", "string");
> add_idmef_object(idmef, "alert.additional_data(1).meaning", "Source file");
> add_idmef_object(idmef, "alert.additional_data(1).data", lf->location);
>
> add_idmef_object(idmef, "alert.additional_data(2).type", "string");
> add_idmef_object(idmef, "alert.additional_data(2).meaning", "Log");
> add_idmef_object(idmef, "alert.additional_data(2).data", lf->log);
>
> add_idmef_object(idmef, "alert.additional_data(3).type", "string");
> add_idmef_object(idmef, "alert.additional_data(3).meaning", "Full Log");
> add_idmef_object(idmef, "alert.additional_data(3).data", lf->full_log);
>
> idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
> idmef_analyzer_ref(prelude_client_get_analyzer(client)),
> IDMEF_LIST_PREPEND);
>
> idmef_message_destroy(idmef);
> #endif
/* @(#) $Id: preluded.c,v 1.30 2007/03/24 01:20:11 dcid Exp $ */
/* Copyright (C) 2004-2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All right reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 2) as published by the FSF - Free Software
* Foundation
*/
#include <libprelude/prelude.h>
#include <libprelude/prelude-log.h>
#include <libprelude/idmef-message-print.h>
#include "prelude.h"
#include "shared.h"
#define DEFAULT_ANALYZER_NAME "ossec"
#define ANALYZER_CLASS "Host IDS"
#define ANALYZER_MODEL "Ossec"
#define ANALYZER_MANUFACTURER "http://www.ossec.net";
#define ANALYZER_VERSION "1.2"
/*
* Ossec to Prelude
*/
/**
* ossec_level_to_impact_severity:
* @level: Ossec level to convert.
*
* Reads and ossec level and convert it into
* a string IDMEF understands.
*
* Returns: "error" on failure, "info", "low",
* "medium" or "high" according to the translated
* level
*/
extern char *
ossec_level_to_impact_severity(int level)
{
switch(level) {
case 0:
case 1:
case 2:
case 3:
return "info";
case 4:
case 5:
case 6:
case 7:
return "low";
case 8:
case 9:
case 10:
case 11:
return "medium";
case 12:
case 13:
case 14:
case 15:
case 16:
return "high";
default:
return "error";
}
}
/*
* Prelude Only
*/
extern int
add_idmef_object(idmef_message_t *message, const char *object, const char *value)
{
int ret;
idmef_value_t *val;
idmef_path_t *path;
ret = idmef_path_new_fast(&path, object);
if ( ret < 0 )
return -1;
ret = idmef_value_new_from_path(&val, path, value);
if ( ret < 0 ) {
idmef_path_destroy(path);
return -1;
}
ret = idmef_path_set(path, message, val);
if ( ret < 0 ) {
merror("Cannot add object '%s'", message);
}
idmef_value_destroy(val);
idmef_path_destroy(path);
return ret;
}
static int
setup_analyzer(idmef_analyzer_t *analyzer)
{
int ret;
prelude_string_t *string;
ret = idmef_analyzer_new_model(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_MODEL);
ret = idmef_analyzer_new_class(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_CLASS);
ret = idmef_analyzer_new_manufacturer(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
ret = idmef_analyzer_new_version(analyzer, &string);
if ( ret < 0 )
goto err;
prelude_string_set_constant(string, ANALYZER_VERSION);
return 0;
err:
merror("%s: IDMEF error: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
extern prelude_client_t *
prelude_start(int argc, char **argv)
{
int ret;
prelude_client_t *client = NULL;
ret = prelude_init(&argc, argv);
if ( ret < 0 ) {
verbose(
"%s: Unable to initialize the Prelude library: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return NULL;
}
ret = prelude_client_new(&client, DEFAULT_ANALYZER_NAME);
if ( ! client ) {
verbose(
"%s: Unable to create a prelude client object: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return NULL;
}
ret = setup_analyzer(prelude_client_get_analyzer(client));
if ( ret < 0 ) {
verbose(
"%s: Unable to setup analyzer: %s\n",
prelude_strsource(ret), prelude_strerror(ret));
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return NULL;
}
ret = prelude_client_start(client);
if ( ret < 0 ) {
verbose(
"%s: Unable to initialize prelude client: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return NULL;
}
return client;
}
extern void
prelude_idmef_debug(idmef_message_t *idmef)
{
prelude_io_t *pio;
prelude_io_new(&pio);
prelude_io_set_file_io(pio, stderr);
idmef_message_print(idmef, pio);
prelude_io_destroy(pio);
}
/* EOF */
/* $Id$ */
/* Copyright (C) 2004-2006 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 2) as published by the FSF - Free Software
* Foundation.
*
* More details at the LICENSE file included with OSSEC or
* online at http://www.ossec.net/en/licensing.html .
*/
#ifndef _PRELUDE_H_
#define _PRELUDE_H_
#include <libprelude/prelude.h>
char *ossec_level_to_impact_severity(int level);
int add_idmef_object(idmef_message_t *message, const char *object, const char *value);
prelude_client_t *prelude_start(int argc, char **argv);
void prelude_idmef_debug(idmef_message_t *idmef);
#endif /* _PRELUDE_H_ */
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.