[Oisf-devel] (no subject)
Pierre Chifflier
pchifflier at edenwall.com
Mon Jan 11 21:15:37 UTC 2010
Hi,
This is more a request for comment than a patch for merging (unless you
consider it ok ;) )
This patch adds support for sending alerts to the Prelude SIEM system,
using libprelude to handle most of the jobs.
This allows sending alerts in a secure way (communications in prelude
are encrypted), standard (IDMEF is defined in RFC 4765), supports
spooling of alerts, redundancy etc.
Note that libprelude is GPL, which is ok since suricata is GPL too.
The patch can be merged using git am (See Eric's mail ).
The plugin is optional, and disabled by default.
About the implementation:
- it is based on snort's implementation
- it works fine and gives good performance results (I accidentally tested
it in an infinite loop triggered by a rule ...)
- autotools stuff was modified to check for prelude libs and headers
- current log plugins are all file-oriented. To avoid modifying too much
code, I used the LogFileCtx pointer to store Prelude's own context.
This works fine, except when exiting (actually, suricata closes the
log file automatically from the core).
- it misses some fields
- I intend to make some parts optional, like embedding the payload in
the alert.
If you agree, I'd like to start merging the code before there are too
many modifications and the patch goes too big, and continue working on
it with smaller patches.
While discussing the plugin, the question of performance was raised. I
think that it's not a problem, since libprelude sends events
asynchronously and handles the spool of events. This is also faster than
writing to an intermediate format (for ex. barnyard) and then re-parsing
it from prelude after. (These arguments can be discussed of course, but
since the plugin is disabled by default there should be no problem).
Best regards,
Pierre
More information about the Oisf-devel
mailing list