Configuration of Altprobe


Security sensors

Altprobe config file altprobe.yaml in folder /etc/altprobe/ includes of several parameters for every sensor/IDS that allows remote management of IDS rules, blacklists, configs, and reading of alerts from sensor’s logs.

falco_log: "_falco_log"
falco_redis: "altprobe_crs"
falco_conf: "/etc/falco/"
falco_rules: "/etc/falco/rules.d/"
falco_local: "/etc/falco/rules.available/"

suri_log: "_suri_log"
suri_redis: "altprobe_nids"
suri_conf: "/etc/suricata/"
suri_rules: "/var/lib/suricata/rules/"
suri_local: "/etc/suricata/rules/"

wazuh_log: "_wazuh_log"
wazuh_redis: "altprobe_hids"
wazuh_conf: "/var/ossec/data/etc/"
wazuh_rules: "/var/ossec/ruleset/"
wazuh_local: "/var/ossec/data/etc/"

Filtering policies

Filtering policies are files in JSON format, that describer operation such as alert aggregation and modification, whitelist and blacklist for alerts. Alertflex collector (Altprobe) applies the policy for every new event that comes to the system. Below, example part of filtering policy for Wazuh alerts:

    "hids": {
    "log": true,
    "severity": {
        "threshold": 1,
        "level0": 2,
        "level1": 4,
        "level2": 10
    },
    "gray_list": [{
        "event": "5715",
        "agent": "flghost",
        "match": "indef",
        "aggregate": {
            "reproduced": 0,
            "in_period": 0
        },
        "response": {
            "profile": "indef",
            "new_type": "indef",
            "new_source": "indef",
            "new_event": "55715",
            "new_severity": 1,
            "new_category": "new cat",
            "new_description": "new desc"
        }
    }]
}

In the example above, Graylist consists policy for the event with ID 5715 (Wazuh classification), if an event with such ID come to Altprobe, next actions apply for events:

  • ID of the event will be modified to 55715

  • level of severity for the alert will be 1

  • new category new cat will be added to alert

  • description of alert will be modified to new desc

The filtering policy is loaded during the start of the Altprobe from file filter.json, that located in the directory /etc/altprobe. Also, the filtering policy can be dynamically changed and loaded to collectors from the central node via the Alertflex console. On the central node different versions of filtering policies store in dedicated folders for every collector node. For operations with filtering policy via Alertflex console open web-form IDS/filter policies

../_images/ids-filters.png

Altprobe commands

altprobe-start
altprobe-stop
altprobe-restart
altprobe-status

Below, example usage of Altpobe commands:

root@host:~# altprobe-status

alertflex collector isn't running

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

root@host:~# altprobe-start
alertflex collector started with code 0
root@host:~#

root@host:~# altprobe-status

alertflex collector is running, process 19023

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...