Privateye 3.0 Alpha ReleasedGO HERE FOR PRIVATEYE 3.0 INFORMATION
What is Privateye?The Privateye tool was built out of the necessity for automating responses to multi-alert events. In our efforts to make it as widely useful as possible, we added a whole lot of functionality and abstraction, and this has made Privateye very powerful. It's also a bit complex, at times. We joke a lot that Privateye is probably Turing complete. That doesn't mean, though, that you should do absolutely everything through Privateye (it just means you could). The program was built to fill a niche, and that niche is rule-based data correlation and automated action.
Privateye DOES offer the following:
- Data Aggregation: Pulling input from diverse information sources through its INPUT (passive information gathering: tailing log files, etc.) and TRIGGER (active information requesting: querying databases, LDAP, etc.) objects.
- Data Normalization: breaking up input into user-defined fields (ALERTPARSER object).
- Event Correlation: Through semi-permanent statistical storage in USER objects, referenced by the USERHASH object.
- Remediation: With its ability to interact with the outside world (various TRIGGER and ACTION objects), Privateye allows for scripted responses to various threats to react in realtime to specific events.
Privateye DOES NOT:
- Create Data: Privateye only looks at the data given to it by other entities. It may scrub that data and create logs, true, but without outside input, Privateye will just sit there looking pretty.
- Have complex built-in actions: Privateye's external actions are normally very simple. Execute the script 'xxxxx.sh', insert this data into a database, print data to another log file or standard output. It relies on the ingenuity and scripting ability of its users to create action scripts outside which will quickly and correctly remediate against various issues. If anyone wants to contribute, by the way, I'm thinking of creating a "remediation pack" of useful remediation scripts.
Privateye CAN (if properly configured):
- Correlate events and call external shell scripts to provide automated, realtime response to its input data (IDS logs, firewall logs, etc).
- Chain together multiple alert tests in a variety of ways, allowing for complex and extremely powerful triggers and rulesets.
- Take in data from multiple inputs, normalize, and populate a database.
- Be fully configured (object creation, argument resetting, etc.) in realtime.
Privateye's current (v2.2) implementation IS LIMITED BY:
- PHP: Version 3 is coming along, and is C++-based.
- Complexity: The learning curve for configuration is steep. But that's because we built it to do absolutely anything we could think of, and then some. Again, version 3 is working on this problem by simplifying the possible instruction set of the config file.
If you have any questions or comments regarding Privateye, I'd love to hear them. Email me at firstname.lastname@example.org.
Example 1: You have an Intrusion Prevention System (IPS) that is dumping its alerts to a log file. Privateye is reading in this log file, in real time, and watching which alerts are being thrown by which IP addresses. Now, let's also say you have a user registration system, allowing each user's name to be associated wit h their current IP address. One of your users gets a virus that starts doing Bad Things; this virus starts scanning for open shares on your network (which, in and of itself, doesn't necessarily mean something is amiss) AND connects to an IRC server out on the Internet. Privateye's configuration (all done through one powerful configuration file) has a trigger that specifies, "if I see one of 'my users' perform 50 NetBIOS scans in 60 seconds AND connect to an IRC server, I'll run an external script to do something to that user." That "do something" could be shutting down the switch port the computer is connected to, flipping it into a quarantine VLAN, or just sending the user an email letting them know their machine probably has a virus.
Example 2: You have a Snort box that alerts on SSH connections from the Internet to some of your internal hosts. You know that SSH brute-force attacks are prevalent, as every day your logs show thousands of login attempts from many machines on the Net. You configure Privateye such that if any external host (to your network) attempts more than 5 SSH logins in a minute, Privateye will run an external action that blocks the offending host from accessing your network for 2 hours at your firewall. If, when the 2 hours is up, they return, they'll then be blocked from accessing your network for 4 hours. Wash, rinse, repeat.
Privateye was created by Graeme Connell and Mike Halsall