The prelude module

The prelude module serves to interface Orchids with the Prelude SIEM and with its associated security console, Prewikka.  (On Linuxes—not available on the Mac OS X platform.)

It is both an input module and an extension module.

  • Prelude can act as an event collecting mechanism.  In that case Orchids takes Prelude as a source of events, and the prelude module serves as an input module.
    This is done by setting Mode analyzer  in the configuration section of the prelude module (see Configuration below).
    In that mode,  Orchids will poll the Prelude SIEM regularly for new alerts (Orchids currently ignores Prelude error and heartbeat events), and build one Orchids event for each new alert.  The Orchids fields are defined by simple accessor expressions, not XPath expressions.  Again, see Configuration below.
  • Conversely, Orchids can act as an event source to Prelude.  The primitives that allow one to construct Prelude alerts and send them to Prelude are an extension of the Orchids language provided by the prelude module.
    This can be configured in two ways:

    • by setting Mode sensor or Mode analyzer in the configuration section of the prelude module (see Configuration below).  Orchids then provides new primitives to build and populate Prelude alert documents, and send them to a running Prelude instance through its new primitive prelude_message_send (see Primitives, below),
    • or by setting Mode prewikka in the configuration section of the prelude module.  In that case, Orchids provides the same primitives as above, except that prelude_message_send now adds an IDMEF alert to the Prewikka database instead of sending it directly to a Prelude instance.
      In prewikka mode, Orchids does not read events from Prelude.

Prelude alerts are IDMEF documents, however of a kind that is private to the Prelude SIEM. In particular, they cannot be handled by the primitives provided by the idmef and xml modules.  The prelude module provides specific primitives to deal with them: see the Primitives section below.

Configuration options

<module prelude>

  • Mode mode: the mode can be set to analyzer, sensor, or prewikka.
    Orchids can read Prelude alerts if mode is equal to analyzer, and it can build and send alerts in any of the three modes.  When mode is prewikka, the prelude-specific primitive prelude_message_send writes the IDMEF alert given as argument to the Prewikka database.  In the other two modes, it sends it to the running Prelude client.
  • PollPeriod number:    (if Mode is analyzer)
    set the polling period to number seconds: Orchids will poll Prelude for new alerts every number seconds.  Default is 1.
  • str_field field-name accessor:     (if Mode is analyzer)
    define new Orchids field name .prelude.field-name, with accessor defined by the accessor string.  For example:

    str_field assessment_type "alert.assessment.impact.type"
    str_field first_source_addr "alert.source(0).node.address(0).address"

    The first one reads the type subitem of the impact subitem of the assessment item of the main alert node.  The second one selects the address subitem of the first (number 0) subitem of the address subitem of the node subitem of etc.
    The fields defined for Orchids, here .prelude.assessment_type and .prelude.first_source_addr, are of type str.
    This is the only field type that the prelude module provides.

  • PreludeDBSettings string:    (if Mode is prewikka)
    string is a string of options passed when opening the Prelude database, used by Prewikka.
    Options are of the form:

    • host=string: set host name on which the database engine listens (default: localhost)
    •  port=number: port on which the database engine listens
    •  type=type: type of database, can be mysql, pgsql, or sqlite
    •  name=string: name of the database
    •  file=string: file name where the database is stored (if type is sqlite)
    •  user=name: user id who will access the database
    •  pass=string: password used by user to access the database.
  • Profile name:
    set Prelude profile name to name.  Default is orchids.

</module>

Primitives

  • prelude_message_new : → prelude
    create a new Prelude IDMEF document

    • Prelude has its own notion of IDMEF documents, which are incompatible with the xmldoc type used in the idmef module
  • prelude_message_set : prelude, str, typeint
    where type is among int, uint, float, str, ctime.

    • usage: prelude_message_set(prelude-document, path, value)
      set attribute located at path path in prelude-document to value
      path
      should be a valid XPath path specification
    • returns: 1 (true) if all went well, 0 (false) otherwise, typically if path is invalid
  • prelude_message_get_string : prelude, strstr
    obtain attribute from prelude IDMEF document

    • usage: prelude_message_set(prelude-document, path)
      get attribute located at path path in prelude-document
      path
      should be a valid XPath path specification
    • returns: the value if all went well, the undefined value null otherwise, typically if path is invalid
  • prelude_message_send : preludeint
    send prelude document in argument

    • will either insert it into the PreWikka database (if ‘Mode prewikka‘ is given in the configuration options), or send it to the Prelude manager (if ‘Mode sensor‘ or ‘Mode analyzer‘ is given in the configuration options)
    • returns: 1 (true) if all went well, 0 (false) otherwise
      an error can only occur in Mode prewikka
  • prelude_message_print : preludeint
    print prelude document on stderr (for debugging purposes)

    • returns: 1 (true)