Altprobe is a component of the Alertflex project, it has functional of a collector according to SIEM/Log Management terminologies.
Advantages of using Altprobe
Integration with GrayLog and MISP
- Based on filtering policies, Altprobe extracts events with high priority from flows of data generated by Wazuh HIDS and Suricata NIDS, makes for these events aggregation and normalization. It allows to simplify alerts and incidents management, reduces noise from a minor events.
- Indicator of Compromise hunting (The Open Source Threat Intelligence Platform MISP is used). Alertflex controller generates alert in case of matching an IOC with IDS event data.
- Reports about a network activities and IP addresses reputation for processes on a hosts (based on events from Sysmon for Windows and Auditd for Linux, received via Wazuh IDS). It is useful for finding of process name connected with suspicious network connections.
- Recognition a Host IDS agents name space inside Alerts and Netflow events, generated by Network IDS
- SSL protocol with two-way authentication is used for secure of connections between remote and central nodes
- All logs are sent in an accumulated state inside compressed data blocks to prevents of events overflow
- In a case of loss of connection between remote and central nodes, the collector persists all alerts locally in file
In tandem with Alertflex controller (see AlertflexCtrl repository on this GitHub profile),
Altprobe can integrate a Wazuh Host IDS (OSSEC fork) and Suricata Network IDS
with Log Management platform Graylog and Threat Intelligence Platform MISP.
Below, a diagram of configuration Altprobe and Alertflex controller for working with GrayLog and MISP
Type of events (GELF format), that are generated by Altprobe
Documentation (early version, include an installation instructions)
"full_message":"Alert from Alertflex collector/controller"
"full_message":"IDS/FIM event from OSSEC/Wazuh"
"full_message":"Network activity of linux process from Auditd"
"full_message":"Network activity of windows process from Sysmon"
"full_message":"IDS event from Suricata"
"full_message":"DNS event from Suricata"
"full_message":"SSH event from Suricata"
"full_message":"Netflow event from Suricata"
see web page: http://alertflex.org/doc/
For enabling an events from Sysmon via Wazuh IDS, please, change level of
rule_id 185001 instead 0 to other value.
For enabling an network activities events from Auditd, please, use the command:
auditctl -a exit,always -F arch=b64 -S connect -k linux-connects,
linux-connects is important!
For advanced configuration of Altprobe, please, see file: filters.json
Below, a screenshots of Graylog dashboards for IDS events from Altprobe
Normalized and aggregated alerts from Host and Network IDS
Simple statistics about IDS alerts categories, applications protocols and Geo IP netflow map
Altprobe was tested under Ubuntu version 14.04 with Wazuh HIDS (OSSEC fork) version 3.2 and Suricata NIDS version 4.0.3
Please open an issue on GitHub or send an email to firstname.lastname@example.org,
if you'd like to report a bug or request a feature
Old version of Altprobe
Previous version of altprobe (single package with support Ntop nProbe, ZeroMQ as sources and output to MySQL) is available under branch