Home

Prelude Trigger

Intro

Prelude Trigger is a small daemon that allows to execute actions based on IDMEF events emitted by Prelude IDS.

It is written in Python and distributed under GPL.

Prelude Trigger is heavily based on Prelude Correlator implementation.

Some of the things it might be useful for:

  • Automatically block intruder IP on firewall.
  • Notify system administrator about ongoing attack via e-mail/Jabber/whatever.
  • Disable user account for offending user.
  • Stop compromised service.
  • Whatever else might be done automatically to stop bad things happening to your system

As most of my side projects, it was written due to my own needs in two evenings with all consequences that bears, so consider yourselves warned

Getting it

Prelude Trigger 1.0.0-beta1.

Prerequisites

  • libprelude compiled with --enable-easy-bindings, tested with versions 0.9.24 and 0.9.24.1 but all versions >= 0.9.23 might work.
  • pyyaml, tested with version 3.09.

Installation

  • python setup.py install or, for Gentoo Linux, ebuild is provided: prelude-trigger-1.0.0_beta1.ebuild.
  • prelude-manager should be running and you should have access to its administration interface to register Prelude Trigger. Exact registration instructions will be displayed on the first prelude-trigger run.

Running

By default executable script is located at /usr/bin/prelude-trigger, run /usr/bin/prelude-trigger --help to see the list of available options.

On Gentoo, if installed using ebuild above, you can use /etc/init.d/prelude-trigger to start it in daemon mode.

Configuration

Edit /etc/prelude-trigger/prelude-trigger.yaml to add your triggers and /etc/prelude-trigger/prelude-trigger.conf for logging configuration.

Trigger consists of two main parts:

  • Filters list - trigger matches only if all filters match.
  • Actions list - if trigger matches, then all trigger actions are executed.

Currently only regex-based filter and command-line action are implemented, but new ones are easy to add as plugins.

Command-line action supports IDMEF paths substitutions, so if command argument is valid IDMEF path - the value from IDMEF is passed to the command, otherwise the argument is passed verbatim.

See comments in prelude-trigger.yaml for exact configuration syntax and trigger examples.

Known “bugs”

  • Logging configuration was not tested and, thus, might be buggy/not work at all.
  • Prelude Trigger design was intentionally kept minimalistic: it does not support matching multiple alerts, if you need that functionality - you’d better use/extend Prelude Correlator so that it combines needed alerts and emits new, higher-level alert, that is subsequently used by Prelude Trigger.
  • If some of your actions must be executed only once per some criteria (f.e. action “block IP” probably should be called only once per IP) you should control that yourselves in your script, as prelude-lml plus Prelude Correlator might emit the same event multiple times in some scenarios.