Altprobe Configuration

The primary configuration file for the Alertflex collector/runner is altprobe.yaml, located in the /etc/altprobe/ folder. It serves as the central point for configuring the collector. One crucial section within this file is the “controller” section. It contains several parameters responsible for communication between the Collector and the Controller.

controller:
# Send alerts and statistics to Central Node (ActiveMQ interface)
  url: "_amq_url"
  user: "_amq_user"
  pwd: "_amq_pwd"
  cert: "_amq_cert"
  cert_verify: "_cert_verify"
  key: "_amq_key"
  key_pwd: "_key_pwd"

Scanners and sensors configuration

Also, the configuration file altprobe.yaml includes several parameters for different types of security scanners and sensors that allow integration of their configurations, reports, and log files into the solution.

scanners:
  # second project id only for posture tasks
  project_id: "indef"
  # Path to scanner result file
  result_path: "_result_path"
  # Path to trivy scanner executable file, if value is indef trivy scan disabled
  trivy_path: "_trivy_path"
  # Path to kube-hunter scanner executable file, if value is indef kube-hunter scan disabled
  kubehunter_path: "indef"
  # Path to nmap scanner scanner executable file, if value is indef nmap scan disabled
  nmap_path: "indef"
  # Path to nuclei scanner executable file, if value is indef nuclei scan disabled
  nuclei_path: "indef"
  # Path to nikto scanner executable file, if value is indef nikto scan disabled
  nikto_path: "indef"
  # Path to zap scanner executable file (or path to docker), if value is indef zap scan disabled
  zap_path: "indef"
  # Path to cloudsploit scanner executable file (or path to docker), if value is indef cloudsploit scan disabled
  cloudsploit_path: "indef"
  # Path to semgrep scanner executable file (or path to docker), if value is indef semgrep scan disabled
  semgrep_path: "indef"
  # Path to scanned project, if value is indef sonarqube scan disabled
  sonarqube_path: "indef"

sensors:
  # Altprobe can read falco, suricata, wazuh events directly from log files.
  # If xxx_log is "indef" redis interface is used. In case xxx_redis is "indef", module is not in use
  falco_log: "_falco_log"
  falco_redis: "altprobe_crs"

  modsec_log: "_modsec_log"
  modsec_redis: "altprobe_waf"

  suri_log: "_suri_log"
  suri_redis: "altprobe_nids"

  wazuh_log: "_wazuh_log"
  wazuh_redis: "altprobe_hids"

  # For reading events from AWS WAF (only Redis interface)
  # in case value "indef", module is not in use
  awswaf_redis: "altprobe_awswaf"

  # For reading events from altprobe's custom sources (only Redis interface)
  # in case value "indef", module is not in use
  misc_redis: "altprobe_misc"

Filtering policies

Next important configuration file is filters.json in folder /etc/altprobe/. It consists filtering policy in JSON format, that describer operations such as alert aggregation, modification, whitelist and blacklist. Alertflex collector (Altprobe) applies the policy for every new event that comes to the system. Below, example part of the filtering policy for Wazuh alerts:

    "hids": {
    "log": true,
    "severity": {
        "threshold": 1,
        "level0": 2,
        "level1": 4,
        "level2": 10
    },
    "gray_list": [{
        "event": "5715",
        "agent": "flghost",
        "match": "indef",
        "aggregate": {
            "reproduced": 0,
            "in_period": 0
        },
        "response": {
            "profile": "indef",
            "new_type": "indef",
            "new_source": "indef",
            "new_event": "55715",
            "new_severity": 1,
            "new_category": "cat for 55715",
            "new_description": "desc for 55715"
        }
    }]
}

In the example above, the gray list consists of a policy for the event with ID 5715 (Wazuh classification). When an event with such ID comes to Altprobe from Wazuh, the following actions are applied to the event:

  • The event ID will be modified to 55715.

  • The severity level for the alert will be changed to 1.

  • A new category, “cat for 55715,” will be added to the alert.

  • The description of the alert will be modified to “desc for 55715.”

The filtering policy is loaded during the start of Altprobe from the file filter.json. Additionally, the filtering policy can be dynamically changed and loaded to collectors from the central node via the Alertflex REST API.

The collector establishes three main outgoing streams to the controller:

  • Normalized security alerts.

  • Scanners reports that were initiated from the Cnode (central node) side using the REST API.

  • Stream of compressed security events and Netflow for further processing, such as Threat Intelligence tasks and routing to external Log Management systems.

Using filtering policies, it is possible to manage routing to external Log Management systems. Use the boolean field log located under the sensor type to set up routing to Threat Intelligence processing and Log Management systems.


Altprobe commands

altprobe-start
altprobe-stop
altprobe-restart
altprobe-status

Below, example usage of Altpobe commands:

root@host:~# altprobe-status

alertflex collector isn't running

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

root@host:~# altprobe-start
alertflex collector started with code 0
root@host:~#

root@host:~# altprobe-status

alertflex collector is running, process 19023

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

How to check an Altprobe errors:

cat /var/log/syslog | grep altprobe