{"id":345,"date":"2015-02-23T19:30:29","date_gmt":"2015-02-23T19:30:29","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=345"},"modified":"2017-12-03T20:02:48","modified_gmt":"2017-12-03T20:02:48","slug":"the-prelude-module","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=345","title":{"rendered":"The prelude module"},"content":{"rendered":"<p>The <code>prelude<\/code>\u00a0module serves to interface Orchids with the <a href=\"https:\/\/www.prelude-siem.org\">Prelude<\/a> SIEM and with its associated security console, Prewikka. \u00a0(On Linuxes\u2014not available on the Mac OS X platform.)<\/p>\n<p>It is both\u00a0an\u00a0<a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=126\">input module<\/a>\u00a0and an <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=656\">extension module<\/a>.<\/p>\n<ul>\n<li>Prelude can act as an event collecting mechanism. \u00a0In that case Orchids takes Prelude as a source of events, and the\u00a0<code>prelude<\/code>\u00a0module serves as an\u00a0<a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=126\">input module<\/a>.<br \/>\nThis is done by setting <code>Mode analyzer<\/code>\u00a0\u00a0in the configuration section of the <code>prelude<\/code> module (see Configuration below).<br \/>\nIn that mode, \u00a0Orchids will poll the Prelude SIEM regularly for new alerts (Orchids currently ignores Prelude error and heartbeat events), and build one Orchids event for each new alert. \u00a0The Orchids fields are defined by simple accessor expressions, not XPath expressions. \u00a0Again, see Configuration below.<\/li>\n<li>Conversely, Orchids can act as an event source to Prelude. \u00a0The primitives that allow one to construct Prelude alerts and send them to Prelude are an <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=656\">extension<\/a> of the <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=279\">Orchids language<\/a> provided by the <code>prelude<\/code> module.<br \/>\nThis can be configured in two ways:<\/p>\n<ul>\n<li>by setting <code>Mode sensor<\/code>\u00a0or <code>Mode analyzer<\/code>\u00a0in the configuration section of the <code>prelude<\/code> module (see Configuration below). \u00a0Orchids then provides new primitives to build and populate Prelude alert documents, and send them to a running Prelude instance through its new primitive\u00a0<code>prelude_message_send<\/code>\u00a0(see Primitives, below),<\/li>\n<li>or by setting <code>Mode prewikka<\/code>\u00a0in the configuration section of the <code>prelude<\/code> module. \u00a0In that case, Orchids provides the same primitives as above, except that\u00a0<code>prelude_message_send<\/code>\u00a0now adds an IDMEF alert to the Prewikka database instead of sending it directly to a Prelude instance.<br \/>\nIn <code>prewikka<\/code> mode, Orchids does not read events from Prelude.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Prelude alerts are <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> documents, however of a kind that is private to the Prelude SIEM. In particular, they cannot be handled by the primitives provided by the <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327\"><code>idmef<\/code><\/a> and <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=362\"><code>xml<\/code><\/a> modules. \u00a0The <code>prelude<\/code> module provides specific primitives to deal with them: see the Primitives section below.<\/p>\n<h3>Configuration options<\/h3>\n<p><code>&lt;module prelude&gt;<\/code><\/p>\n<ul>\n<li><code>Mode<\/code>\u00a0<em>mode<\/em>: the\u00a0<em>mode<\/em> can be set to <code>analyzer<\/code>, <code>sensor<\/code>, or <code>prewikka<\/code>.<br \/>\nOrchids can read Prelude alerts if\u00a0<em>mode<\/em> is equal to <code>analyzer<\/code>, and it can build and send alerts in any of the three modes. \u00a0When\u00a0<em>mode<\/em> is <code>prewikka<\/code>, the <code>prelude<\/code>-specific primitive\u00a0<code>prelude_message_send<\/code>\u00a0writes the IDMEF alert given as argument to the Prewikka database. \u00a0In the other two modes, it sends it to the running Prelude client.<\/li>\n<li><code>PollPeriod<\/code> <em>number<\/em>:\u00a0 \u00a0 (if <code>Mode<\/code> is <code>analyzer<\/code>)<br \/>\nset the polling period to\u00a0<em>number<\/em> seconds: Orchids will poll Prelude for new alerts every\u00a0<em>number<\/em> seconds. \u00a0Default is 1.<\/li>\n<li><code>str_field<\/code> <em>field-name<\/em> <em>accessor<\/em>:\u00a0\u00a0 \u00a0 (if <code>Mode<\/code> is <code>analyzer<\/code>)<br \/>\ndefine new Orchids field name <code>.prelude.<\/code><em>field-name<\/em>, with accessor defined by the\u00a0<em>accessor<\/em> string. \u00a0For example:<\/p>\n<pre>str_field assessment_type \"alert.assessment.impact.type\"\r\nstr_field first_source_addr \"alert.source(0).node.address(0).address\"<\/pre>\n<p>The first one reads the <code>type<\/code> subitem of the <code>impact<\/code> subitem of the <code>assessment<\/code> item of the main <code>alert<\/code> node. \u00a0The second one selects the <code>address<\/code> subitem of the first (number 0) subitem of the <code>address<\/code> subitem of the <code>node<\/code> subitem of etc.<br \/>\nThe fields defined for Orchids, here <code>.prelude.assessment_type<\/code> and\u00a0<code>.prelude.first_source_addr<\/code>, are of type <code>str<\/code>.<br \/>\nThis is the only field type that the <code>prelude<\/code> module provides.<\/li>\n<li><code>PreludeDBSettings<\/code> <em>string<\/em>: \u00a0 \u00a0(if <code>Mode<\/code> is <code>prewikka<\/code>)<br \/>\n<em>string<\/em> is a string of options passed when opening the Prelude database, used by Prewikka.<br \/>\nOptions are of the form:<\/p>\n<ul>\n<li>\n<div><code>host=<\/code><em>string<\/em>: set host name on which the database engine listens (default: <code>localhost<\/code>)<\/div>\n<\/li>\n<li>\n<div>\u00a0<code>port=<\/code><em>number<\/em>: port on which the database engine listens<\/div>\n<\/li>\n<li>\n<div>\u00a0<code>type=<\/code><em>type<\/em>: type of database, can be <code>mysql<\/code>, <code>pgsql<\/code>, or <code>sqlite<\/code><\/div>\n<\/li>\n<li>\n<div>\u00a0<code>name=<\/code><em>string:<\/em>\u00a0name of the database<\/div>\n<\/li>\n<li>\n<div>\u00a0<code>file=<\/code><em>string<\/em>: file name where the database is stored (if <code>type<\/code> is\u00a0<code>sqlite<\/code>)<\/div>\n<\/li>\n<li>\n<div>\u00a0<code>user=<\/code><em>name<\/em>: user id who will access the database<\/div>\n<\/li>\n<li>\n<div>\u00a0<code>pass=<\/code><em>string<\/em>: password used by user to access the database.<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li><code>Profile<\/code> <em>name<\/em>:<br \/>\nset Prelude profile name to\u00a0<em>name<\/em>. \u00a0Default is <code>orchids<\/code>.<\/li>\n<\/ul>\n<p><code>&lt;\/module&gt;<\/code><\/p>\n<h3>Primitives<\/h3>\n<ul>\n<li><strong><code>prelude_message_new<\/code><\/strong> : \u2192 <code>prelude<\/code><br \/>\ncreate a new Prelude IDMEF document<\/p>\n<ul>\n<li>Prelude has its own notion of IDMEF documents, which are incompatible with the <code>xmldoc<\/code> type used in the <a title=\"The idmef module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327\"><code>idmef<\/code> module<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong><code>prelude_message_set<\/code><\/strong> : <code>prelude<\/code>, <code>str<\/code>, <em>type<\/em> \u2192 <code>int<\/code><br \/>\nwhere <em>type<\/em> is among <code>int<\/code>, <code>uint<\/code>, <code>float<\/code>, <code>str<\/code>, <code>ctime<\/code>.<\/p>\n<ul>\n<li>usage: <code>prelude_message_set<\/code>(<em>prelude-document<\/em>, <em>path<\/em>, <em>value<\/em>)<br \/>\nset attribute located at path <em>path<\/em> in <em>prelude-document<\/em> to <em>value<br \/>\npath<\/em> should be a valid XPath path specification<\/li>\n<li>returns: 1 (true) if all went well, 0 (false) otherwise, typically if <em>path<\/em> is invalid<\/li>\n<\/ul>\n<\/li>\n<li><strong><code>prelude_message_get_string<\/code><\/strong> : <code>prelude<\/code>, <code>str<\/code> \u2192 <code>str<\/code><br \/>\nobtain attribute from prelude IDMEF document<\/p>\n<ul>\n<li>usage: <code>prelude_message_set<\/code>(<em>prelude-document<\/em>, <em>path<\/em>)<br \/>\nget attribute located at path <em>path<\/em> in <em>prelude-document<\/em><em><br \/>\npath<\/em> should be a valid XPath path specification<\/li>\n<li>returns: the value if all went well, the undefined value <code>null<\/code> otherwise, typically if <em>path<\/em> is invalid<\/li>\n<\/ul>\n<\/li>\n<li><strong><code>prelude_message_send<\/code><\/strong> : <code>prelude<\/code> \u2192 <code>int<\/code><br \/>\nsend prelude document in argument<\/p>\n<ul>\n<li>will either insert it into the PreWikka database (if &#8216;<code>Mode prewikka<\/code>&#8216; is given in the configuration options), or send it to the Prelude manager (if &#8216;<code>Mode sensor<\/code>&#8216; or &#8216;<code>Mode analyzer<\/code>&#8216; is given in the configuration options)<\/li>\n<li>returns: 1 (true) if all went well, 0 (false) otherwise<br \/>\nan error can only occur in <code>Mode prewikka<\/code><\/li>\n<\/ul>\n<\/li>\n<li><strong><code>prelude_message_print<\/code><\/strong> : <code>prelude<\/code> \u2192 <code>int<\/code><br \/>\nprint prelude document on stderr (for debugging purposes)<\/p>\n<ul>\n<li>returns: 1 (true)<code><\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The prelude\u00a0module serves to interface Orchids with the Prelude SIEM and with its associated security console, Prewikka. \u00a0(On Linuxes\u2014not available on the Mac OS X platform.) It is both\u00a0an\u00a0input module\u00a0and an extension module. Prelude can act as an event collecting mechanism. \u00a0In that case Orchids takes Prelude as a source of events, and the\u00a0prelude\u00a0module serves &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=345\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The prelude module<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-345","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=345"}],"version-history":[{"count":11,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/345\/revisions"}],"predecessor-version":[{"id":709,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/345\/revisions\/709"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}