Project

General

Profile

Example : Creating a simple sensor using python

Goal and context

To create a simple sensor in python, we need to have a goal. Let's imagine that you want to monitor the temp directory /tmp.

First, we will need a python module to watch the directory : pyinotify.
On Debian :

apt-get install python-pyinotify

On CentOS :

yum install python-pyinotify

This tutorial is meant to explain how to build a simple sensor, not to master pyinotify. If you want to know more about pyinotify and understand fully what is used in this tutorial, have a look at this tutorial, which was used as an inspiration to write this one.

We will also need the python binding for prelude :
On Debian :

apt-get install python-prelude

On CentOS :

yum install python-prelude

First steps and pyinotify

First, import the modules.

import prelude
import pyinotify

Then we will set up the watch.

This will be done with a surveillance loop and event handlers.

wm = pyinotify.WatchManager()
mask = pyinotify.IN_DELETE | pyinotify.IN_CREATE
wdd = wm.add_watch('/tmp', mask, rec=True)

# TODO : start a client

# Event Handler. We will fill it later
class EventHandler(pyinotify.ProcessEvent):
    def process_IN_CREATE(self, event):
        # TODO : send IDMEF alert 1
        print "File created in tmp" 

    def process_IN_DELETE(self, event):
        # TODO : send IDMEF alert 2
        print file deleted in tmp

handler = EventHandler()
notifier = pyinotify.Notifier(wm, handler)
wdd = wm.add_watch('/tmp', mask, rec=True)
notifier.loop()

This should already print "File created in tmp" and "File deleted in tmp" when you create or delete files in the tmp directory.

Start your client

We are trying to replace the line

# TODO : start a client

First create your client :

client = prelude.ClientEasy("tuto_watch", 4, "analyzer_model", "analyzer_class", "manufacturer")

Instead of "analyzer_model", "analyzer_class" and "manufacturer" you can write whatevere you want to appear in the alert.
As for the number, see here what this means.

Then start your client :

client.start()

Send an alert

Let's begin with the creation of a file in tmp.

We're trying to replace the line :

# TODO : send IDMEF alert 1

First you have to create an IDMEF message.

idmef = prelude.IDMEF()

Then fill your alert with the information you have, beginning with the classification. You can find the list of fields here in this wiki.

idmef.set("alert.classification.text", "File created in tmp")
idmef.set("alert.target(0).file(0).name, event.name)
idmef.set("alert.target(0).file(0).path, event.pathname)

Finally, send your alert:

client.sendIDMEF(idmef)

And it's done !!

If you do the exact same thing for the deletion of files in tmp, you'll have :

idmef = prelude.IDMEF()
idmef.set("alert.classification.text", "File deleted in tmp")
idmef.set("alert.target(0).file(0).name", event.name)
idmef.set("alert.target(0).file(0).path", event.pathname)
client.sendIDMEF(idmef)

Register the sensor

If you want to try this code, and I bet you want, you will have to register your new sensor to a prelude manager.
If you don't have prelude installed, go to the end of this tutorial to see a way to visualize your alert.

Let's say you have one and want to register your new sensor to the manager.

First, note the ip address of the machine hosting prelude-manager. You can use ip a.

Then, on the same machine, enter the command:

prelude-admin registration-server prelude-manager

Then go to the machine hosting your sensor (it an be the same machine) and enter the command :

prelude-admin register tuto_watch "idmef:w" ip_address_that_you_noted_earlier --uid 0 --gid 0

You will be asked for a password that is given on the machine hosting prelude. Just follow the instructions and your registration will been done.

If your manager and your sensor are on two separate machines, you will need to edit the conf file : /etc/prelude/default/client.conf on the sensor machine.
Change the address server-addr from 127.0.0.1 to the adresse you have noted.

To ensure that the sensor has been correctly registered, you can consult the list of registered agents :

prelude-admin list

Visualize the alerts on Prewikka

Accessing Prewikka is really easy. Just use your favorite browser and enter the ip address you noted earlier.

ip_address_that_you_noted_earlier/prewikka

You will be asked for a login and a password.
Default login and password are admin admin.

Run your sensor and create a file in your tmp directory.
An alert should appear in Prewikka.

If you don't have a prelude installed.

First, comment every line starting with "client".
And instead of sending your alert, print it. This way you should be able to see wether your alert was successfully filled.

import prelude
import pyinotify

wm = pyinotify.WatchManager()
mask = pyinotify.IN_DELETE | pyinotify.IN_CREATE
wdd = wm.add_watch('/tmp', mask, rec=True)

# client = prelude.ClientEasy("tuto_watch", 4, "analyzer_model", "analyzer_class", "manufacturer")
# client.start()

# Event Handler. We will fill it later
class EventHandler(pyinotify.ProcessEvent):
    def process_IN_CREATE(self, event):
        idmef = prelude.IDMEF()
        idmef.set("alert.classification.text", "File deleted in tmp")
        idmef.set("alert.target(0).file(0).name", event.name)
        idmef.set("alert.target(0).file(0).path", event.pathname)
        print idmef
        # client.sendIDMEF(idmef)

    def process_IN_DELETE(self, event):
        idmef = prelude.IDMEF()
        idmef.set("alert.classification.text", "File deleted in tmp")
        idmef.set("alert.target(0).file(0).name", event.name)
        idmef.set("alert.target(0).file(0).path", event.pathname)
        print idmef
        # client.sendIDMEF(idmef)

handler = EventHandler()
notifier = pyinotify.Notifier(wm, handler)
wdd = wm.add_watch('/tmp', mask, rec=True)
notifier.loop()