Privateye - Aggregation, Normalization, Correlation, Remediation

Privateye 3.0 Alpha Released


What is Privateye?

The Privateye tool was built out of the necessity for automating responses to multi-alert events. In our efforts to make it as widely useful as possible, we added a whole lot of functionality and abstraction, and this has made Privateye very powerful. It's also a bit complex, at times. We joke a lot that Privateye is probably Turing complete. That doesn't mean, though, that you should do absolutely everything through Privateye (it just means you could). The program was built to fill a niche, and that niche is rule-based data correlation and automated action.

Privateye DOES offer the following:

Privateye DOES NOT:

Privateye CAN (if properly configured):

Privateye's current (v2.2) implementation IS LIMITED BY:

If you have any questions or comments regarding Privateye, I'd love to hear them. Email me at

Use Cases

Example 1: You have an Intrusion Prevention System (IPS) that is dumping its alerts to a log file. Privateye is reading in this log file, in real time, and watching which alerts are being thrown by which IP addresses. Now, let's also say you have a user registration system, allowing each user's name to be associated wit h their current IP address. One of your users gets a virus that starts doing Bad Things; this virus starts scanning for open shares on your network (which, in and of itself, doesn't necessarily mean something is amiss) AND connects to an IRC server out on the Internet. Privateye's configuration (all done through one powerful configuration file) has a trigger that specifies, "if I see one of 'my users' perform 50 NetBIOS scans in 60 seconds AND connect to an IRC server, I'll run an external script to do something to that user." That "do something" could be shutting down the switch port the computer is connected to, flipping it into a quarantine VLAN, or just sending the user an email letting them know their machine probably has a virus.

Example 2: You have a Snort box that alerts on SSH connections from the Internet to some of your internal hosts. You know that SSH brute-force attacks are prevalent, as every day your logs show thousands of login attempts from many machines on the Net. You configure Privateye such that if any external host (to your network) attempts more than 5 SSH logins in a minute, Privateye will run an external action that blocks the offending host from accessing your network for 2 hours at your firewall. If, when the 2 hours is up, they return, they'll then be blocked from accessing your network for 4 hours. Wash, rinse, repeat.

Privateye was created by Graeme Connell and Mike Halsall