mysql --database prelude < prelude-correlation-vulne rability-importer_mysql.sqlEnsuite, intégrer le rapport de Nessus dans la base de données Prelude avec la commande suivante :
manager:/home/prelude# ./prelude-correlation-vulner ability-importer.pl -c vuln.conf -i 130_120_84_65.nsr *** Trying to connect to the database type:mysql database:prelude hostname:localhost account:prelude *** Reading the report file: 130_120_84_65.nsr Number of reports to deal with: 134 *** Deleting existing related reports ....................................................................... ............................................................... End of the deletion process *** Adding 134 new reports End of the integration of the reports *** Operation of import succeeded Number of records deleted in the database : 134 Number of records written in the database : 134 Date used in the records : 2003/2 3 11:30 manager:/home/prelude#Afin de faire la corrélation entre les alertes relevées par Prelude et les vulnérabilités trouvées par Nessus, on utilise le script suivant :
manager:/home/prelude# ./prelude-correlation-vulner ability-finder.pl -B -c vuln.conf *** Trying to connect to the database type:mysql database:prelude hostname:localhost account:prelude *** Parsing the database to get the alerts id *** Trying to search for correlation *** Operation of vulnerability correlation search finnished Number of alerts treated in the database : 1073 Number of correlations of vulnerability : 0 manager:/home/prelude#Ici on peut voir qu'il n'y a eu aucune attaque exploitant une vulnérabilité préalablement détectée par Nessus. Il existe aussi un script très simpliste pour faire un tri sur les corrélations durant un laps de temps donné. Par exemple, pour afficher les corrélations pour les dernières 24 heures (ou les 86400 dernières secondes) :
manager:/home/prelude/# ./prelude-correlation-agent.pl -B -p 86400 ################################################# # Proof of concept for a small correlation agent # using source address to work # Contact: oudot@rstack.org ################################################# # Source address correlation for alert 15972 # with 86400 of seconds used as the period to analyse # Alert 15972 is ever correlated in the correlation id: 1 ################################################# # Proof of concept for a small correlation agent # using source address to work # Contact: oudot@rstack.org ################################################# # Source address correlation for alert 15973 # with 86400 of seconds used as the period to analyse # Alert 15973 is ever correlated in the correlation id: 1 [...] ################################################# # Proof of concept for a small correlation agent # using source address to work # Contact: oudot@rstack.org ################################################# # Source address correlation for alert 17043 # with 86400 of seconds used as the period to analyse # Alert 17043 is ever correlated in the correlation id: 37 ################################################# # Proof of concept for a small correlation agent # using source address to work # Contact: oudot@rstack.org ################################################# # Source address correlation for alert 17044 # with 86400 of seconds used as the period to analyse # Alert 17044 is ever correlated in the correlation id: 37