PreludeIDS IDMEF-Criteria Filtering Success
I’ve been using Prelude SIEM for a month now, and have fought off and on with the prelude-manager.conf file’s idmef-criteria and threshold settings to try to fine tune the smtp alerts a bit. I had to focus mainly on tuning at the sensor level (Snort, OSSEC) because I could not, even with user community and [...]
Snort COMMUNITY-BOT IRC server Detected…false alerts?
I just looked back 15,000 hours in Prewikka, and it’s as I suspected…something recently (3 days ago) started triggering massive numbers of alerts on our internal Snort sensor. The alert triggered is COMMUNITY BOT Internal IRC server detected, Sig ID 1:100000241. There have been 3 instances when the alerts (in mass quantities each instance) were [...]
IDMEF Paths/Messages – Prelude IDS
I have no idea if this list is complete or not, but I had been looking for a list of possible IDMEF messages, particularly as applied to Prelude IDS/SIEM. I was playing with building filters in Prewikka when I noticed that the “build a filter” tool under the settings tab had a loooong list of [...]
Cygwin
Just a quick post to talk about a couple of linux-y things that I always add to any Windows box that I have to use to make my life easier and more enjoyable from a geek perspective. The first thing, at work or at home, that I put on my Win boxes is cygwin. Cygwin [...]
Prelude SIEM all but complete…
I got my second Snort sensor online tonight! I had a bit of trouble and delay due to difficulties caused by the cloning process – and my lack of experience and familiarity with same. In order to speed up the building of my second sensor, which was put onto hardware identical to the first one, [...]
Five Noteworthy Open Source Security Apps
I’m merely condensing an article that I encountered elsewhere, partially for my own benefit (as a reminder to check some of them out later!). All five of these are worth checking out. I’ll be looking into at least 3 of them myself. These are all free (some of them have free and paid versions). 1. [...]
Oinkmaster
I’m getting a little uncomfortable with all of the pig & pork references associated with Snort and any associated third party apps or utilities developed for it. For updating Snort rules (attack signatures) automatically, you basically have two choices: Oinkmaster and PulledPork. I wrestled around with Pulled Pork for a while but didn’t get anywhere. [...]
Problem solved: Prelude-manager email alert format
For context, please read my previous post describing the problem here If you look at the default emails generated by prelude manager’s SMTP plugin, you’ll notice that it is laid out in an “outline” format. The path to a given value includes each indented header to the value separated by periods. For example, in the [...]
Prelude-manager default smtp alert presentation: UGLY.
I really need to figure out how to “dress up” these damned Prelude IDS alerts. Here’s what they look like when you receive them via email. I even removed a bunch of “additional data” fields at the bottom. The alerts are way too verbose, and you have to hunt for what you really need to [...]