Rechercher une page de manuel
raprelude
Langue: en
Version: 26. September 2005 (mandriva - 01/05/08)
Section: 1 (Commandes utilisateur)
Sommaire
NAME
raprelude - log an argus(8) data file/stream to a prelude IDS manager using IDMEF.COPYRIGHT
Copyright (c) 2003,2005 PRESECURE Consulting GmbH. Copyright (c) 2000-2002 QoSient. All rights reserved.
SYNOPSIS
raprelude [ra options]DESCRIPTION
Raprelude reads argus data from an argus-file and logs the entries to a prelude IDS manager. The logged events can be configured in a configuration file that resides in the prelude profile directory of the sensor. raprelude uses a configuration from the libprelude directory, the default profile is called "raprelude". Different profiles can be specified using the environment variable "RAPRELUDE_PROFILE". The specific data for PRELUDE are read from the PRELUDE-config which for example contains the address of the manager host.
OPTIONS
raprelude, like all ra based clients, supports a large number of options. There are no specific options for raprelude. See ra(1) for a complete description of ra options.EXAMPLE INVOCATION
Before running raprelude you have to couple it with your prelude-manager (you will get an according message on the first run). You can then simply start raprelude reading records from an argus logfile:raprelude -r argus.log
Configuration File
After the coupling with the prelude-manager you will find a directory named "raprelude" in the profiles directory of libprelude. In this directory you can create the configuration file names "class.conf". The syntax of the file like this:LINE = [IDMEF_ENTRY]+ LINE = COMMENT | RULE COMMENT = "# [whatever comment] RULE = [PATTERN]* CLASSIFY ACTION PATTERN = PROTO | SADDR | SPORT | DADDR | DPORT | ITYPE CLASSIFY = CLASS | REF | SEVERITY ACTION = "ACTION drop" | "ACTION log" | "ACTION store" CLASS = "CLASS 'classification string'" REF = "URL 'http://www.reference.server.net/class-reference.html'" SEVERITY = "SEVERITY info|low|medium|high" PROTO = "PROTO <PROTONAME>" # (see /etc/protocols) SADDR = "SADDR any" | "SADDR <ipaddress> <netmask>" SPORT = "SPORT eq <portno>" | "SPORT ne <portno>" | "SPORT gt <portno>" | "SPORT lt <portno>" | "SPORT range <lowportno> <highportno>" DADDR = "DADDR any" | "DADDR <ipaddress> <netmask>" DPORT = "DPORT eq <portno>" | "DPORT ne <portno>" | "DPORT gt <portno>" | "DPORT lt <portno>" | "SPORT range <lowportno> <highportno>" ITYPE = "ITYPE any" | "ITYPE <typeno>" # icmp type number The meaning of the entries CLASS, URL and SEVERITY is described in the IDMEF Data Model and Extensible Markup Language (XML) Document Type Definition, see http://www.ietf.org/html.charters/idwg-charter.html
EXAMPLE CLASS CONFIGURATION
The specified classification config file uses classifications and references for some kinds of different network traffic:# classification file for argus logs # PROTO TCP DADDR any DPORT eq 80 CLASS "WWW Traffic " URL "http://bla.com/03.html" SEVERITY info ACTION log PROTO UDP DADDR any DPORT eq 162 CLASS "SNMP Traffic" URL "http://bla.com/02.html" SEVERITY info ACTION log PROTO any CLASS "Unknown Traffic" URL "http://bla.com/01.html" SEVERITY medium ACTION store
AUTHORS
Olaf Gellert (og@pre-secure.de).
SEE ALSO
ra(1), rarc(5), argus(8)Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre