I’ve been using Prelude SIEM for a month now, and have fought off and on with the prelude-manager.conf file’s idmef-criteria and threshold settings to try to fine tune the smtp alerts a bit. I had to focus mainly on tuning at the sensor level (Snort, OSSEC) because I could not, even with user community and developer assistance, get idmef criteria and thresholds to work. This morning I had my first bit of success with it, and I wanted to report it here because I know others have come to my website searching for the same info.
I wasn’t able to filter/threshold based on alert name, but using the code below I was able to set up low severity alerts to go to the database without generating email alerts, while still getting email alerts (and database logging) for medium and high severity events, which is a great first step for me in tuning my SIEM to limit the number of benign email alerts I receive.
rule = alert.assessment.impact.severity != low
hook = smtp[default]
hook = db[default]
rule = alert.assessment.impact.severity == low
hook = db[default]
It’s weird, it seems with no special idmef-criteria set, you get emails/database for everything, but as soon as you specify any criteria, only the criteria specified is acted upon and everything else is ignored completely. Remarkably, this behavior is not documented anywhere that I have found, nor even in the prelude users mailing list activity that I searched, either. (Well, it’s in the mailing list archives now, because I posted it there.)
For example, in the code above I have two idmef-criteria statements. I tried the first of the two alone first, thinking that everything but low severity events would continue being logged to the database and to smtp alerts as well. In fact, however, I stopped getting ALL smtp alerts, and only low severity events were being databased. That seems odd to me, but whatever. That one small bit of undocumented weird behavior was the sole reason I was having so many problems figuring this out. Every time I would try to filter out a particular type of even (or set a threshold to quiet it down to a dull roar) all database and smtp activity would appear to cease completely. Also, you HAVE to include the [default] instance references even if there are no other instances in the config file. Not if you have just one entry, but when you add a second one. Oh, and you can specify more than one “hook” for each criteria.