Project

General

Profile

How to use LibPrelude » History » Version 5

Anonymous, 05/13/2015 04:48 PM

1 1 Anonymous
h1. How to use LibPrelude
2 1 Anonymous
3 5 Anonymous
This tutorial is meant to explain how the library LibPrelude works, what differs in LibPrelude from the original IDMEF and to give a few examples on how to implement it. If you want to build a sensor, we suggest you follow this tutorial and see the [[How to build a sensor]] section.
4 1 Anonymous
5 1 Anonymous
h2. What is LibPrelude ?
6 1 Anonymous
7 1 Anonymous
LibPrelude is the first and only implementation of IDMEF. It is used as a mean of communication between Prelude modules. Prelude is a SIEM developed by C-S, which takes part in the SECEF project. Since part of Prelude is open-source, LibPrelude is also open-source and can be used freely.
8 1 Anonymous
As Prelude uses LibPrelude as a mean of communication between modules, LibPrelude is designed to send IDMEF alerts to a Prelude Manager and can't be used, as for now, without one.
9 1 Anonymous
LibPrelude is written in C, but you canfind bindings for Python, Perl, C++, Ruby and Lua. We will give example on how to use it below, but you can also find it on "Prelude's site":https://www.prelude-siem.org/projects/prelude/wiki/DevelAgentBuilding.
10 1 Anonymous
11 1 Anonymous
h2. Download and install
12 1 Anonymous
13 1 Anonymous
You can install libprelude from the repositories on most distributions using :
14 1 Anonymous
* Debian : 
15 1 Anonymous
<pre>
16 1 Anonymous
apt-get install libprelude-dev
17 1 Anonymous
</pre>
18 1 Anonymous
* CentOS : 
19 1 Anonymous
<pre>
20 1 Anonymous
rpm -i https://www.prelude-ids.org/attachments/download/297/prelude-ids-rhel-2-1.noarch.rpm
21 1 Anonymous
yum install libprelude
22 1 Anonymous
</pre>
23 1 Anonymous
24 1 Anonymous
You can also find the packages on "Prelude's site":https://www.prelude-siem.org/projects/prelude/files.
25 1 Anonymous
26 1 Anonymous
h2. How does it work ?
27 1 Anonymous
28 1 Anonymous
LibPrelude is a library that allows you to send IDMEF alerts to a Prelude manager. It is, however, impossible to just create IDMEF alerts and export it in a readable format. 
29 1 Anonymous
30 1 Anonymous
To send IDMEF alerts to a Prelude Manager, you first have to create a client. This client will be the one sending alerts to the manager. And to do so, it will need to registrate to the Prelude Manager.
31 1 Anonymous
32 1 Anonymous
The client will send heartbeats to the manager, stating that he is still alive and well, and, whenn needed, send alerts the exact same way.
33 1 Anonymous
Note that heartbeats are also IDMEF messages.
34 1 Anonymous
35 2 Anonymous
Using LibPrelude to send alerts to prelude manager can be done in several steps : 
36 2 Anonymous
* Initializing the Prelude Library
37 2 Anonymous
* Creating the Prelude Client
38 2 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
39 2 Anonymous
* Creating alerts
40 2 Anonymous
* Sending Alerts
41 2 Anonymous
42 1 Anonymous
h2. Format
43 1 Anonymous
44 1 Anonymous
LibPrelude is based an IDMEF. However, it does not completely follow what is indicated in the RFC 4735.
45 1 Anonymous
First, LibPrelude does not use XML encoding format, as it is strongly suggested in the RFC. This means that some attributes, such as alertident, are slightly modified from the RFC. But we can also find differences on how to interprete some of the IDMEF fields.
46 3 Anonymous
47 1 Anonymous
You can add multiple analyzers for one alert using LibPrelude, whereas it's a single required field in the RFC. This difference come from the fact that the RFC and LibPrelude don't have the same definition of an analyzer. LibPrelude sees as an analyzer every tool that participated in creating the alert. 
48 1 Anonymous
49 3 Anonymous
There are a few more differences between the RFC and LibPrelude'implementation of IDMEF but more important than that is the treewrap of IDMEF fields used in LibPrelude.
50 1 Anonymous
51 3 Anonymous
Using LibPrelude to fill an alert is indeed rather easy when refering to this treewrap, which indicates how every field is handled by the library. This treewrap can be found in the documentation that comes along with the library when installing it.
52 3 Anonymous
53 3 Anonymous
54 2 Anonymous
h2. First steps with LibPrelude in several languages
55 1 Anonymous
56 2 Anonymous
This section is just meant to give a brief overview of how to use LibPrelude. If you really want to build a new sensor, please refer to the [[Building a new Sensor]] section.
57 2 Anonymous
58 1 Anonymous
h3. Using C
59 2 Anonymous
60 2 Anonymous
LibPrelude being originally written in C, you will have more choice using C than other languages.
61 2 Anonymous
First, you will have to choose between using the low level API or the high level API. Using the low level API, as you would imagine, gives more performance, but needs more lines and is less intuitive. It also needs less memory. The high level API, indeed, creates a whole alerts, with every field already existing, everytime you create a new alert, whereas the low level API needs field to be created one by one.
62 2 Anonymous
63 2 Anonymous
Let's take a brief look at these API.
64 2 Anonymous
65 2 Anonymous
h4. Low level API
66 2 Anonymous
67 2 Anonymous
* Initializing the Prelude Library
68 2 Anonymous
69 2 Anonymous
<pre><code class="c">
70 2 Anonymous
71 2 Anonymous
#include <libprelude/prelude.h> 
72 2 Anonymous
73 2 Anonymous
int ret;
74 2 Anonymous
75 2 Anonymous
ret = prelude_init(&argc, argv);
76 2 Anonymous
if ( ret < 0 ) {
77 2 Anonymous
        prelude_perror(ret, "unable to initialize the prelude library");
78 2 Anonymous
        return -1;
79 2 Anonymous
}
80 2 Anonymous
</code></pre>
81 2 Anonymous
82 2 Anonymous
* Creating a new prelude client
83 2 Anonymous
84 2 Anonymous
<pre><code class="c">
85 2 Anonymous
int ret;
86 2 Anonymous
prelude_client_t *client;
87 2 Anonymous
88 2 Anonymous
ret = prelude_client_new(&client, "my-analyzer");
89 2 Anonymous
if ( ! client ) {
90 2 Anonymous
        prelude_perror(ret, "Unable to create a prelude client object");
91 2 Anonymous
		
92 2 Anonymous
		/*This suppresses the client in case it was created but still sending errors*/
93 2 Anonymous
		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
94 2 Anonymous
        return -1;
95 2 Anonymous
}
96 2 Anonymous
</code></pre>
97 2 Anonymous
98 2 Anonymous
* Starting a new client
99 2 Anonymous
100 2 Anonymous
<pre><code class="c">
101 2 Anonymous
ret = prelude_client_start(client);
102 2 Anonymous
if ( ret < 0 ) {
103 2 Anonymous
		prelude_perror(ret, "Unable to start prelude client");
104 2 Anonymous
	   
105 2 Anonymous
	   	/*This suppresses the client in case something went wrong*/
106 2 Anonymous
		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
107 2 Anonymous
		return -1;
108 2 Anonymous
}
109 2 Anonymous
</code></pre>
110 2 Anonymous
111 2 Anonymous
* Setting client options
112 2 Anonymous
113 2 Anonymous
<pre><code class="c">
114 2 Anonymous
ret = prelude_client_set_flags(prelude_client, PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
115 2 Anonymous
if ( ret < 0) {
116 2 Anonymous
	fprintf(stderr, "Unable to set asynchronous send and timer.\n");
117 2 Anonymous
	
118 2 Anonymous
	/* This suppresses the client and avoid having a not configured client sending things */
119 2 Anonymous
	prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS); 
120 2 Anonymous
	return -1;
121 2 Anonymous
}
122 2 Anonymous
</code></pre>
123 2 Anonymous
124 2 Anonymous
* Creating the alert
125 2 Anonymous
126 2 Anonymous
<pre><code class="c">
127 2 Anonymous
idmef_message_t *idmef;
128 2 Anonymous
129 2 Anonymous
ret = idmef_message_new(&idmef);
130 2 Anonymous
if ( ret < 0 ) {
131 2 Anonymous
        prelude_perror(ret, "unable to create IDMEF message");
132 2 Anonymous
        return -1;
133 2 Anonymous
}
134 2 Anonymous
135 2 Anonymous
ret = idmef_message_new_alert(idmef, &alert);
136 2 Anonymous
if ( ret < 0 ) {
137 2 Anonymous
        prelude_perror(ret, "unable to create IDMEF alert");
138 2 Anonymous
        idmef_message_destroy(idmef);
139 2 Anonymous
        return -1;
140 2 Anonymous
}
141 2 Anonymous
142 2 Anonymous
ret = idmef_alert_new_classification(alert, &class);
143 2 Anonymous
if ( ret < 0 ) {
144 2 Anonymous
        prelude_perror(ret, "unable to create IDMEF classification");
145 2 Anonymous
        idmef_message_destroy(idmef);
146 2 Anonymous
        return -1;
147 2 Anonymous
}
148 2 Anonymous
149 2 Anonymous
ret = idmef_classification_new_text(class, &str);
150 2 Anonymous
if ( ret < 0 ) {
151 2 Anonymous
        prelude_perror(ret, "unable to create classification text");
152 2 Anonymous
        idmef_message_destroy(idmef);
153 2 Anonymous
        return -1;
154 2 Anonymous
}
155 2 Anonymous
156 2 Anonymous
prelude_string_set_constant(str, "My classification");
157 2 Anonymous
</code></pre>
158 2 Anonymous
159 2 Anonymous
* Sending the alert
160 2 Anonymous
161 2 Anonymous
<pre><code class="c">
162 2 Anonymous
prelude_client_send_idmef(client, idmef);
163 2 Anonymous
idmef_message_destroy(idmef);
164 2 Anonymous
</code></pre>
165 2 Anonymous
166 2 Anonymous
* Destroying the client
167 2 Anonymous
168 2 Anonymous
<pre><code class="c">
169 2 Anonymous
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
170 2 Anonymous
</code></pre>
171 2 Anonymous
172 2 Anonymous
h4. High level API
173 2 Anonymous
174 2 Anonymous
* Initializing the Prelude Library
175 2 Anonymous
176 2 Anonymous
<pre><code class="c">
177 2 Anonymous
178 2 Anonymous
#include <libprelude/prelude.h>
179 2 Anonymous
180 2 Anonymous
int ret;
181 2 Anonymous
182 2 Anonymous
ret = prelude_init(&argc, argv);
183 2 Anonymous
if ( ret < 0 ) {
184 2 Anonymous
        prelude_perror(ret, "unable to initialize the prelude library");
185 2 Anonymous
        return -1;
186 2 Anonymous
}
187 2 Anonymous
</code></pre>
188 2 Anonymous
189 2 Anonymous
* Creating a new prelude client
190 2 Anonymous
191 2 Anonymous
<pre><code class="c">
192 2 Anonymous
int ret;
193 2 Anonymous
prelude_client_t *client;
194 2 Anonymous
195 2 Anonymous
ret = prelude_client_new(&client, "my-analyzer");
196 2 Anonymous
if ( ! client ) {
197 2 Anonymous
        prelude_perror(ret, "Unable to create a prelude client object");
198 2 Anonymous
		
199 2 Anonymous
		/*This suppresses the client in case it was created but still sending errors*/
200 2 Anonymous
		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
201 2 Anonymous
        return -1;
202 2 Anonymous
}
203 2 Anonymous
</code></pre>
204 2 Anonymous
205 2 Anonymous
* Starting a new client
206 2 Anonymous
207 2 Anonymous
<pre><code class="c">
208 2 Anonymous
ret = prelude_client_start(client);
209 2 Anonymous
if ( ret < 0 ) {
210 2 Anonymous
		prelude_perror(ret, "Unable to start prelude client");
211 2 Anonymous
	   
212 2 Anonymous
	   	/*This suppresses the client in case something went wrong*/
213 2 Anonymous
		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
214 2 Anonymous
		return -1;
215 2 Anonymous
}
216 2 Anonymous
</code></pre>
217 2 Anonymous
218 2 Anonymous
* Setting client options
219 2 Anonymous
220 2 Anonymous
<pre><code class="c">
221 2 Anonymous
ret = prelude_client_set_flags(prelude_client, PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
222 2 Anonymous
if ( ret < 0) {
223 2 Anonymous
	fprintf(stderr, "Unable to set asynchronous send and timer.\n");
224 2 Anonymous
	
225 2 Anonymous
	/* This suppresses the client and avoid having a not configured client sending things */
226 2 Anonymous
	prelude_client_destroy(prelude_client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS); 
227 2 Anonymous
	return -1;
228 2 Anonymous
}
229 2 Anonymous
</code></pre>
230 2 Anonymous
231 2 Anonymous
* Creating the alert
232 2 Anonymous
<pre><code class="c">
233 2 Anonymous
idmef_message_t *idmef;
234 2 Anonymous
235 2 Anonymous
ret = idmef_message_new(&idmef);
236 2 Anonymous
if ( ret < 0 )
237 2 Anonymous
        return -1;
238 2 Anonymous
239 2 Anonymous
idmef_message_set_string(idmef, "alert.classification.text", "My classification text");
240 2 Anonymous
idmef_message_set_string(idmef, "alert.classification.reference(0).name", "OSVDB-XXXX");
241 2 Anonymous
idmef_message_set_string(idmef, "alert.classification.reference(0).origin", "osvdb");
242 2 Anonymous
idmef_message_set_string(idmef, "alert.classification.reference(0).url", "http://my.url/");
243 2 Anonymous
</code></pre>
244 2 Anonymous
245 2 Anonymous
* Sending the alert
246 2 Anonymous
<pre><code class="c">
247 2 Anonymous
prelude_client_send_idmef(client, idmef);
248 2 Anonymous
idmef_message_destroy(idmef);
249 2 Anonymous
</code></pre>
250 2 Anonymous
251 2 Anonymous
* Destroying the client
252 2 Anonymous
<pre><code class="c">
253 2 Anonymous
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
254 2 Anonymous
</code></pre>
255 2 Anonymous
256 2 Anonymous
h3. Using C++
257 3 Anonymous
258 3 Anonymous
* Initializing the Prelude Library
259 3 Anonymous
260 3 Anonymous
<pre><code class="cpp">
261 3 Anonymous
#include <libpreludecpp/prelude.hxx>
262 3 Anonymous
263 3 Anonymous
using namespace Prelude;
264 3 Anonymous
265 3 Anonymous
int main(int argc, char **argv)
266 3 Anonymous
{
267 3 Anonymous
        prelude_init(&argc, argv);
268 3 Anonymous
}
269 3 Anonymous
</code></pre>
270 3 Anonymous
271 3 Anonymous
* Creating the Prelude Client
272 3 Anonymous
273 3 Anonymous
274 3 Anonymous
<pre><code class="cpp">
275 3 Anonymous
ClientEasy client = ClientEasy("prelude-correlator", Client::IDMEF_WRITE);
276 3 Anonymous
</code></pre>
277 3 Anonymous
278 3 Anonymous
279 3 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
280 3 Anonymous
281 3 Anonymous
<pre><code class="cpp">
282 3 Anonymous
 client.Start();
283 3 Anonymous
</code></pre>
284 3 Anonymous
285 3 Anonymous
* Creating alerts
286 3 Anonymous
287 3 Anonymous
As in C you'll have to first create an IDMEF message. It then works like the high API : you can access every field without creating them first.
288 3 Anonymous
289 3 Anonymous
<pre><code class="cpp">
290 3 Anonymous
IDMEF idmef;
291 3 Anonymous
292 3 Anonymous
// Classification
293 3 Anonymous
idmef.Set("alert.classification.text", "C++ Example");
294 3 Anonymous
295 3 Anonymous
// Source
296 3 Anonymous
idmef.Set("alert.source(0).node.address(0).address", "10.0.0.1");
297 3 Anonymous
298 3 Anonymous
// Target
299 3 Anonymous
idmef.Set("alert.target(0).node.address(0).address", "10.0.0.2");
300 3 Anonymous
idmef.Set("alert.target(1).node.address(0).address", "10.0.0.3");
301 3 Anonymous
302 3 Anonymous
// Assessment
303 3 Anonymous
idmef.Set("alert.assessment.impact.severity", "low");
304 3 Anonymous
idmef.Set("alert.assessment.impact.completion", "failed");
305 3 Anonymous
idmef.Set("alert.assessment.impact.type", "recon");
306 3 Anonymous
307 3 Anonymous
// Additional Data
308 3 Anonymous
idmef.Set("alert.additional_data(0).data", "something");
309 3 Anonymous
</code></pre>
310 3 Anonymous
311 3 Anonymous
* Sending Alerts
312 3 Anonymous
313 3 Anonymous
This example contains also the extinction of the client.
314 3 Anonymous
315 3 Anonymous
<pre><code class="cpp">
316 3 Anonymous
 client.SendIDMEF(idmef);
317 3 Anonymous
 prelude_deinit();
318 3 Anonymous
</code></pre>
319 3 Anonymous
320 3 Anonymous
h3. Using Perl
321 3 Anonymous
322 3 Anonymous
* Initializing the Prelude Library
323 3 Anonymous
324 3 Anonymous
Pay attention to the initialization for it has changed recently and won't work if you follow the old How To.
325 3 Anonymous
326 3 Anonymous
<pre><code class="perl">
327 3 Anonymous
use strict;
328 3 Anonymous
use Prelude;
329 3 Anonymous
</code></pre>
330 3 Anonymous
331 3 Anonymous
* Creating the Prelude Client
332 3 Anonymous
333 3 Anonymous
<pre><code class="perl">
334 3 Anonymous
my $client = new Prelude::ClientEasy("analyzer_name", numeral_indicating_the_option, "analyzer_model", "analyzer_class", "manufacturer");
335 3 Anonymous
</code></pre>
336 3 Anonymous
337 3 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
338 3 Anonymous
339 3 Anonymous
<pre><code class="perl">
340 3 Anonymous
$client->start();
341 3 Anonymous
</code></pre>
342 3 Anonymous
343 3 Anonymous
* Creating alerts
344 3 Anonymous
345 3 Anonymous
<pre><code class="perl">
346 3 Anonymous
# Create an IDMEF message
347 3 Anonymous
my $idmef = new Prelude::IDMEF();
348 3 Anonymous
349 3 Anonymous
# Classification
350 3 Anonymous
$idmef->set("alert.classification.text", "Perl Example");
351 3 Anonymous
$idmef->set("alert.source(0).node.address(0).address", "10.0.0.1");
352 3 Anonymous
$idmef->set("alert.target(0).node.address(0).address", "10.0.0.2");
353 3 Anonymous
$idmef->set("alert.target(1).node.address(0).address", "10.0.0.3");
354 3 Anonymous
355 3 Anonymous
# Assessment
356 3 Anonymous
$idmef->set("alert.assessment.impact.severity", "low");
357 3 Anonymous
$idmef->set("alert.assessment.impact.completion", "failed");
358 3 Anonymous
$idmef->set("alert.assessment.impact.type", "recon");
359 3 Anonymous
360 3 Anonymous
# Additional Data
361 3 Anonymous
$idmef->set("alert.additional_data(0).data", "something");
362 3 Anonymous
</code></pre>
363 3 Anonymous
364 3 Anonymous
* Sending Alerts
365 3 Anonymous
366 3 Anonymous
<pre><code class="perl">
367 3 Anonymous
$client->sendIDMEF($idmef);
368 3 Anonymous
</code></pre>
369 3 Anonymous
370 3 Anonymous
h3. Using Python
371 3 Anonymous
372 3 Anonymous
As for Perl, this API has also changed recently so pay attention to the syntax.
373 3 Anonymous
374 3 Anonymous
* Initializing the Prelude Library
375 3 Anonymous
376 3 Anonymous
<pre><code class="python">
377 3 Anonymous
import Prelude
378 3 Anonymous
</code></pre>
379 3 Anonymous
380 3 Anonymous
* Creating the Prelude Client
381 3 Anonymous
382 4 Anonymous
<pre><code class="python">
383 3 Anonymous
# Create a new Prelude client.
384 3 Anonymous
client = Prelude.ClientEasy("analyzer_name", numeral_indicating_the_option, "analyzer_model", "analyzer_class", "manufacturer")
385 4 Anonymous
</code></pre>
386 3 Anonymous
387 3 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
388 3 Anonymous
389 4 Anonymous
<pre><code class="python">
390 3 Anonymous
client.start()
391 4 Anonymous
</code></pre>
392 3 Anonymous
393 3 Anonymous
* Creating alerts
394 3 Anonymous
395 4 Anonymous
<pre><code class="python">
396 3 Anonymous
# Create the IDMEF message
397 3 Anonymous
idmef = Prelude.IDMEF()
398 3 Anonymous
399 3 Anonymous
# Classification
400 3 Anonymous
idmef.set( "alert.classification.text", "Python Example")
401 3 Anonymous
402 3 Anonymous
# Source
403 3 Anonymous
idmef.set("alert.source(0).node.address(0).address", "10.0.0.1")
404 3 Anonymous
405 3 Anonymous
# Target
406 3 Anonymous
idmef.set("alert.target(0).node.address(0).address", "10.0.0.2")
407 3 Anonymous
idmef.set("alert.target(1).node.address(0).address", "10.0.0.3")
408 3 Anonymous
409 3 Anonymous
# Assessment
410 1 Anonymous
idmef.set("alert.assessment.impact.severity", "low")
411 3 Anonymous
idmef.set("alert.assessment.impact.completion", "failed")
412 3 Anonymous
idmef.set("alert.assessment.impact.type", "recon")
413 1 Anonymous
414 1 Anonymous
# Additional Data
415 3 Anonymous
idmef.set("alert.additional_data(0).data", "something")
416 4 Anonymous
</code></pre>
417 3 Anonymous
418 3 Anonymous
* Sending Alerts
419 3 Anonymous
420 4 Anonymous
<pre><code class="python>
421 3 Anonymous
client.sendIDMEF(idmef)
422 4 Anonymous
</code></pre>
423 3 Anonymous
424 3 Anonymous
h3. Using Ruby
425 3 Anonymous
426 3 Anonymous
* Initializing the Prelude Library
427 3 Anonymous
428 3 Anonymous
<pre><code class="ruby">
429 3 Anonymous
require("Prelude")
430 3 Anonymous
</code></pre>
431 3 Anonymous
432 3 Anonymous
* Creating the Prelude Client
433 3 Anonymous
434 3 Anonymous
<pre><code class="ruby">
435 3 Anonymous
client = Prelude::ClientEasy.new("analyzer_name", numeral_indicating_the_option, "analyzer_model", "analyzer_class", "manufacturer")
436 3 Anonymous
</code></pre>
437 3 Anonymous
438 3 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
439 3 Anonymous
440 3 Anonymous
<pre><code class="ruby">
441 3 Anonymous
client.start()
442 3 Anonymous
</code></pre>
443 3 Anonymous
444 3 Anonymous
* Creating alerts
445 3 Anonymous
446 3 Anonymous
<pre><code class="ruby">
447 3 Anonymous
# Create the IDMEF message
448 3 Anonymous
idmef = Prelude::IDMEF.new()
449 3 Anonymous
450 3 Anonymous
# Classification
451 3 Anonymous
idmef.set( "alert.classification.text", "Ruby Example")
452 3 Anonymous
453 3 Anonymous
# Source
454 3 Anonymous
idmef.set("alert.source(0).node.address(0).address", "10.0.0.1")
455 3 Anonymous
456 3 Anonymous
# Target
457 3 Anonymous
idmef.set("alert.target(0).node.address(0).address", "10.0.0.2")
458 3 Anonymous
idmef.set("alert.target(1).node.address(0).address", "10.0.0.3")
459 3 Anonymous
460 3 Anonymous
# Assessment
461 3 Anonymous
idmef.set("alert.assessment.impact.severity", "low")
462 3 Anonymous
idmef.set("alert.assessment.impact.completion", "failed")
463 3 Anonymous
idmef.set("alert.assessment.impact.type", "recon")
464 3 Anonymous
465 3 Anonymous
# Additional Data
466 3 Anonymous
idmef.set("alert.additional_data(0).data", "something")
467 3 Anonymous
</code></pre>
468 1 Anonymous
469 1 Anonymous
* Sending Alerts
470 1 Anonymous
<pre><code class="ruby">
471 1 Anonymous
client.sendIDMEF(idmef)
472 1 Anonymous
</code></pre>
473 3 Anonymous
474 1 Anonymous
h3. Using Lua
475 1 Anonymous
476 1 Anonymous
* Initializing the Prelude Library
477 4 Anonymous
478 4 Anonymous
<pre><code class="lua">
479 4 Anonymous
require("Prelude")
480 4 Anonymous
</code></pre>
481 4 Anonymous
482 1 Anonymous
* Creating the Prelude Client
483 4 Anonymous
484 4 Anonymous
<pre><code class="lua">
485 4 Anonymous
client = Prelude.ClientEasy("analyzer_name", numeral_indicating_the_option, "analyzer_model", "analyzer_class", "manufacturer")
486 4 Anonymous
</code></pre>
487 4 Anonymous
488 1 Anonymous
* Starting the Prelude Client : This will make it send heartbeats at a regular pace
489 4 Anonymous
490 4 Anonymous
<pre><code class="lua">
491 4 Anonymous
client:start()
492 4 Anonymous
</code></pre>
493 4 Anonymous
494 1 Anonymous
* Creating alerts
495 4 Anonymous
496 4 Anonymous
<pre><code class="lua">
497 4 Anonymous
# Create the IDMEF message
498 4 Anonymous
idmef = Prelude.IDMEF()
499 4 Anonymous
500 4 Anonymous
# Classification
501 4 Anonymous
idmef:set( "alert.classification.text", "Lua Example")
502 4 Anonymous
503 4 Anonymous
# Source
504 4 Anonymous
idmef:set("alert.source(0).node.address(0).address", "10.0.0.1")
505 4 Anonymous
506 4 Anonymous
# Target
507 4 Anonymous
idmef:set("alert.target(0).node.address(0).address", "10.0.0.2")
508 4 Anonymous
idmef:set("alert.target(1).node.address(0).address", "10.0.0.3")
509 4 Anonymous
510 4 Anonymous
# Assessment
511 4 Anonymous
idmef:set("alert.assessment.impact.severity", "low")
512 4 Anonymous
idmef:set("alert.assessment.impact.completion", "failed")
513 4 Anonymous
idmef:set("alert.assessment.impact.type", "recon")
514 4 Anonymous
515 4 Anonymous
# Additional Data
516 4 Anonymous
idmef:set("alert.additional_data(0).data", "something")
517 4 Anonymous
</code></pre>
518 4 Anonymous
519 3 Anonymous
* Sending Alerts
520 4 Anonymous
521 4 Anonymous
<pre><code class="lua">
522 4 Anonymous
client:SendIDMEF(idmef)
523 4 Anonymous
</code></pre>