altprobe: IDS events collector
Altprobe is a component of the Alertflex project, it has functional of a collector according to SIEM/Log Management terminologies. In tandem with Alertflex controller (see AlertflexCtrl repository on this GitHub profile), Altprobe can integrate a Wazuh Host IDS (OSSEC fork) and Suricata Network IDS with Log Management platform Graylog and Threat Intelligence Platform MISP.
Functionalities of Altprobe
- Reads through the server Redis events in JSON format from Suricata NIDS, Wazuh HIDS, Modsecurity WAF, ElasticStack MetricBeat
- Based on filtering policies, Collector retrieves high priority events from data streams created by security sensors, makes aggregation and normalization for these events. This allows to simplify the managementof alerts and incidents, reduces noise from minor events.
- High priority events (alerts) are immediately sent to the central node
- Events (log events) that have been rejected for processing as alerts can be redirected to the Log Management platform
- All log events are sent to the Controller pre-accumulated in a compressed data set, this implements the “Anti-flooding” algorithm to prevent large bursts of events on the controller side.
- In case of loss of communication between remote and central nodes, the Collector saves all alerts locally in a file
- Generates an alert if the network traffic thresholds have reached the limits
- Generates an alert if the metrics thresholds for hosts (CPU, Memory, HDD, Swap) have reached the limits
- Creates reports on network activities of host processes (based on events from Sysmon for Windows and Auditd for Linux, received through Wazuh IDS). This allows determining the name of the process associated with suspicious network connections.
- To avoid loss of useful information, the Collector collects various statistics about all events that have been sent via the Collector
Type of events (GELF format is used), that are generated by Altprobe
- “short_message”:”alert-flex”, “full_message”:”Alert from Alertflex collector/controller”
- “short_message”:”alert-hids”, “full_message”:”Alert from OSSEC/Wazuh HIDS”
- “short_message”:”alert-fim”, “full_message”:”Alert from OSSEC/Wazuh FIM”
- “short_message”:”alert-nids”, “full_message”:”Alert from Suricata NIDS”
- “short_message”:”dns-nids”, “full_message”:”DNS event from Suricata NIDS”
- “short_message”:”ssh-nids”, “full_message”:”SSH event from Suricata NIDS”
- “short_message”:”netflow-nids”, “full_message”:”Netflow event from Suricata NIDS”
- “short_message”:”alert-waf”, “full_message”:”Alert from ModSecurity/NGINX”
- “short_message”:”process-linux”, “full_message”:”Network activity of linux process from Auditd”
- “short_message”:”process-win”, “full_message”:”Network activity of windows process from Sysmon”
git clone https://github.com/olegzhr/Altprobe.git
Copyright (c) 2005 – 2006 Swiss Federal Institute of Technology (ETH Zurich), Department of Computer Science (http://www.inf.ethz.ch), Christian Plattner. All rights reserved.