raprelude

Langue: en

Version: 26. September 2005 (mandriva - 01/05/08)

Section: 1 (Commandes utilisateur)

NAME

raprelude - log an argus(8) data file/stream to a prelude IDS manager using IDMEF.
 Copyright (c) 2003,2005 PRESECURE Consulting GmbH.
 Copyright (c) 2000-2002 QoSient.
 All rights reserved.
 
 

SYNOPSIS

raprelude [ra options]

DESCRIPTION

Raprelude reads argus data from an argus-file and logs the entries to a prelude IDS manager. The logged events can be configured in a configuration file that resides in the prelude profile directory of the sensor. raprelude uses a configuration from the libprelude directory, the default profile is called "raprelude". Different profiles can be specified using the environment variable "RAPRELUDE_PROFILE". The specific data for PRELUDE are read from the PRELUDE-config which for example contains the address of the manager host.

OPTIONS

raprelude, like all ra based clients, supports a large number of options. There are no specific options for raprelude. See ra(1) for a complete description of ra options.

EXAMPLE INVOCATION

Before running raprelude you have to couple it with your prelude-manager (you will get an according message on the first run). You can then simply start raprelude reading records from an argus logfile:

raprelude -r argus.log

Configuration File

After the coupling with the prelude-manager you will find a directory named "raprelude" in the profiles directory of libprelude. In this directory you can create the configuration file names "class.conf". The syntax of the file like this:
   LINE = [IDMEF_ENTRY]+
   LINE         = COMMENT | RULE
   COMMENT      = "# [whatever comment]
   RULE         = [PATTERN]* CLASSIFY ACTION
   PATTERN      = PROTO | SADDR | SPORT | DADDR | DPORT | ITYPE
   CLASSIFY     = CLASS | REF | SEVERITY
   ACTION       = "ACTION drop" | "ACTION log" | "ACTION store"
   CLASS        = "CLASS 'classification string'"
   REF          = "URL 'http://www.reference.server.net/class-reference.html'"
   SEVERITY     = "SEVERITY info|low|medium|high"
   PROTO        = "PROTO <PROTONAME>"    # (see /etc/protocols)
   SADDR        = "SADDR any" | "SADDR <ipaddress> <netmask>"
   SPORT        = "SPORT eq <portno>" | "SPORT ne <portno>" |
                  "SPORT gt <portno>" | "SPORT lt <portno>" |
                  "SPORT range <lowportno> <highportno>"
   DADDR        = "DADDR any" | "DADDR <ipaddress> <netmask>"
   DPORT        = "DPORT eq <portno>" | "DPORT ne <portno>" |
                  "DPORT gt <portno>" | "DPORT lt <portno>" |
                  "SPORT range <lowportno> <highportno>"
   ITYPE        = "ITYPE any" | "ITYPE <typeno>"  # icmp type number
 
 The meaning of the entries CLASS, URL and SEVERITY is
 described in the IDMEF Data Model and Extensible
 Markup Language (XML) Document Type Definition, see
 http://www.ietf.org/html.charters/idwg-charter.html
 
 
 

EXAMPLE CLASS CONFIGURATION

The specified classification config file uses classifications and references for some kinds of different network traffic:
 # classification file for argus logs
 #
 PROTO TCP DADDR any DPORT eq  80 CLASS "WWW Traffic " URL "http://bla.com/03.html" SEVERITY info ACTION log
 PROTO UDP DADDR any DPORT eq 162 CLASS "SNMP Traffic" URL "http://bla.com/02.html" SEVERITY info ACTION log
 PROTO any CLASS "Unknown Traffic" URL "http://bla.com/01.html" SEVERITY medium ACTION store
 

AUTHORS

 Olaf Gellert (og@pre-secure.de).
 

SEE ALSO

ra(1), rarc(5), argus(8)