def create_heartbeat(heartbeat_id, heartbeat_date=None, heartbeat_interval=600, status='', analyzer_id=None):
"""
Create an IDMEF Heartbeat for test suite.
:param str heartbeat_id: Heartbeat ID.
:param str heartbeat_date: Optional Heartbeat date.
:param str heartbeat_interval: default interval.
:param str status: Add "Analyzer status" in additional data.
:param str analyzer_id: Analyzer ID, based on heartbeat_id if not specified.
:return: An IDMEF object with Heartbeat information.
:rtype: prelude.IDMEF
"""
if not analyzer_id:
analyzer_id = heartbeat_id.replace('-', '')
idmef = prelude.IDMEF()
if heartbeat_date:
idmef.set('heartbeat.create_time', heartbeat_date)
idmef.set('heartbeat.messageid', heartbeat_id)
idmef.set('heartbeat.heartbeat_interval', heartbeat_interval)
idmef.set('heartbeat.analyzer(0).analyzerid', analyzer_id)
idmef.set('heartbeat.analyzer(0).name', 'prelude-testing')
idmef.set('heartbeat.analyzer(0).manufacturer', 'https://www.prelude-siem.com')
idmef.set('heartbeat.analyzer(0).node.name', 'testing.prelude')
idmef.set('heartbeat.additional_data(0).meaning', 'Analyzer status')
idmef.set('heartbeat.additional_data(0).data', status)
return idmef
def newIDMEF(self):
idmef = prelude.IDMEF()
# Source
#idmef.Set("alert.source(0).node.address(0).address", "127.0.0.1")
# analyzer
idmef.set("alert.analyzer(0).name", "Armadito antivirus")
idmef.set("alert.analyzer(0).manufacturer", "www.teclib.com")
idmef.set("alert.analyzer(0).class", "Antivirus")
return idmef
def create_alert(alert_id):
"""
Create an IDMEF Alert for test suite.
:param str alert_id: Alert ID.
:return: An IDMEF object with alert information.
:rtype: prelude.IDMEF
"""
idmef = prelude.IDMEF()
idmef.set('alert.messageid', alert_id)
idmef.set('alert.analyzer(0).analyzerid', alert_id.replace('-', ''))
idmef.set('alert.analyzer(0).name', 'prelude-testing')
idmef.set('alert.analyzer(0).manufacturer', 'https://www.prelude-siem.com')
idmef.set('alert.analyzer(0).node.name', 'testing.prelude')
return idmef
p = select.poll()
p.register(f.stdout)
# Create a new Prelude client.
clientPrelude = prelude.ClientEasy("MySensor")
clientPrelude.start()
priority = ["info", "low", "medium", "high"]
while True:
if p.poll(1):
s = f.stdout.readline()
#conversion
# Create the IDMEF message
idmef = prelude.IDMEF()
m = re.match(
r'^([0-9:./-]+)\s+ \[(.+?)\] \[(.+?)\] (.+?) \[(.+?)\] \[Classification: (.+?)\] \[Priority: (\d+)] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5}) -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\n?',
s)
if m is None:
m = re.match(
r'^([0-9:./-]+)\s+ \[(.+?)\] \[(.+?)\] (.+?) \[(.+?)\] \[Classification: (.+?)\] \[Priority: (\d+)] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\n?',
s)
if m is None:
continue
else:
idmef.set("alert.target(0).node.address(0).address",
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import prelude
def log_cb(level, str):
sys.stdout.write("log: " + str)
prelude.PreludeLog.setCallback(log_cb)
idmef = prelude.IDMEF()
print("*** IDMEF->Set() ***")
idmef.set("alert.classification.text", "My Message")
idmef.set("alert.source(0).node.address(0).address", "s0a0")
idmef.set("alert.source(0).node.address(1).address", "s0a1")
idmef.set("alert.source(1).node.address(0).address", "s1a0")
idmef.set("alert.source(1).node.address(1).address", "s1a1")
idmef.set("alert.source(1).node.address(2).address", None)
idmef.set("alert.source(1).node.address(3).address", "s1a3")
print(idmef)
print("\n*** Value IDMEF->Get() ***")
print(idmef.get("alert.classification.text"))
print("\n*** Listed Value IDMEF->Get() ***")
print(idmef.get("alert.source(*).node.address(*).address"))
#!/usr/bin/env python
# coding: utf-8
from pykafka import KafkaClient
import prelude
client_idmef = prelude.ClientEasy("MySensor")
client_idmef.start()
TOPIC_NAME = "Prelude_IDMEF"
client_kafka = KafkaClient(hosts="127.0.0.1:9092")
topic = client_kafka.topics[TOPIC_NAME]
consumer = topic.get_balanced_consumer(consumer_group='testgroup',
auto_commit_enable=True,
auto_commit_interval_ms=10000)
for message in consumer:
if message is not None:
idmef = prelude.IDMEF(message.value)
client_idmef.sendIDMEF(idmef)
def from_json(cls, data):
return cls(prelude.IDMEF(data["idmef_json"]))