Configuration Altprobe


Security sensors and scanners

Altprobe config file altprobe.yaml in folder /etc/altprobe/ includes several parameters for different types of security sensors and scanners that allow management for IDS rules, configs, reports and log files.

scanners:
# Path to Dependency-check scan result file, for example /root/reports/dependency-check-report.json
dependencycheck_result: "indef"
# Path to Docker-bench scan result file, for example /root/docker-bench-security/result.json
dockerbench_result: "indef"
# Path to Kube-bench result file, for example /etc/altprobe/kubebench-report.json
kubebench_result: "indef"
# Path to Kube-hunter result file
kubehunter_result: "indef"
# Path to Nikto result file
nikto_result: "indef"
# Path to Nmap result file
nmap_result: "indef"
# Path to Trivy result file
trivy_result: "indef"
# Path to OWASP ZAP result file
zap_result: "indef"

sensors:
falco_log: "_falco_log"
falco_redis: "altprobe_crs"
falco_conf: "/etc/falco/"
falco_rules: "/etc/falco/rules.d/"
falco_local: "/etc/falco/rules.available/"

modsec_log: "_modsec_log"
modsec_redis: "altprobe_waf"
modsec_conf: "/etc/nginx/modsec/"
modsec_rules: "/usr/local/owasp-modsecurity-crs-3.0.2/"
modsec_local: "/etc/nginx/modsec/rules/"

suri_log: "_suri_log"
suri_redis: "altprobe_nids"
suri_conf: "/etc/suricata/"
suri_rules: "/var/lib/suricata/rules/"
suri_local: "/etc/suricata/rules/"

wazuh_log: "_wazuh_log"
wazuh_redis: "altprobe_hids"
wazuh_conf: "/var/ossec/etc/"
wazuh_rules: "/var/ossec/ruleset/"
wazuh_local: "/var/ossec/etc/"

Filtering policies

Filtering policy is a file in JSON format, that describer operation such as alert aggregation and modification, whitelist and blacklist for alerts. Alertflex collector (Altprobe) applies the policy for every new event that comes to the system. Below, example part of the filtering policy for Wazuh alerts:

    "hids": {
    "log": true,
    "severity": {
        "threshold": 1,
        "level0": 2,
        "level1": 4,
        "level2": 10
    },
    "gray_list": [{
        "event": "5715",
        "agent": "flghost",
        "match": "indef",
        "aggregate": {
            "reproduced": 0,
            "in_period": 0
        },
        "response": {
            "profile": "indef",
            "new_type": "indef",
            "new_source": "indef",
            "new_event": "55715",
            "new_severity": 1,
            "new_category": "cat for 55715",
            "new_description": "desc for 55715"
        }
    }]
}

In the example above, Graylist consists policy for the event with ID 5715 (Wazuh classification), if an event with this ID come to Altprobe, the next actions apply for events:

  • ID of the event will be modified to 55715

  • level of severity for the alert will be changed to 1

  • new category cat for 55715 will be added to alert

  • description of alert will be modified to desc for 55715

The filtering policy is loaded during the start of the Altprobe from file filter.json, that located in the directory /etc/altprobe. Also, the filtering policy can be dynamically changed and loaded to collectors from the central node via the Alertflex console. On the central node different versions of filtering policies store in dedicated folders for every collector node. For operations with filtering policy via Alertflex console open web-form Alerts/Filters

../_images/ids-filters.png

Altprobe commands

altprobe-start
altprobe-stop
altprobe-restart
altprobe-status

Below, example usage of Altpobe commands:

root@host:~# altprobe-status

alertflex collector isn't running

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

root@host:~# altprobe-start
alertflex collector started with code 0
root@host:~#

root@host:~# altprobe-status

alertflex collector is running, process 19023

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

How to check an Altprobe errors:

cat /var/log/syslog | grep altprobe