# This is a template configuration file for prelude-correlator # include = /etc/prelude/default/idmef-client.conf [general] # # Only attempt to correlate input events that match the following criteria: # criteria = # Plugin configuration: # # [BruteForcePlugin] # disable = false # # Disable BusinessHour correlation by default since it is very verbose [BusinessHourPlugin] disable = true # # [OpenSSHAuthPlugin] # disable = false # # [EventScanPlugin] # disable = false # # [EventStormPlugin] # disable = false # # [EventSweepPlugin] # disable = false # # [WormPlugin] # disable = false # repeat-target = 5 # # [CIArmyPlugin] # disable = false # # How often in seconds the CIArmy database should be reloaded (download + reload) # (default: once a week). 0 to disable reloading. # reload = 604800 # # The address to load the CIArmy database from: # uri = http://cinsscore.com/list/ci-badguys.txt # # Define the maximum allowed time for downloading the database # timeout = 10 # # [DshieldPlugin] # disable = false # # How often the Dshield database should be reloaded (download + reload) # (default: once a week). 0 to disable reloading. # reload = 604800 # # The address to load the Dshield database from: # uri = http://www.dshield.org/ipsascii.html?limit=10000 # # Define the maximum allowed time for downloading the database # timeout = 10 # [SpamhausDropPlugin] # # Note: the python-netaddr package is required for this plugin to work. # Also, versions 0.7.10 to 0.7.15 (inclusive) are known to be very slow # due to a bug in python-netaddr. # See https://github.com/drkjam/netaddr/issues/94 for more information # # disable = true # # How often the Spamhaus database should be reloaded (download + reload) # (default: once a week). 0 to disable reloading. # reload = 604800 # # The address to load the Spamhaus database from: # uri = http://www.spamhaus.org/drop/drop.txt # # Define the maximum allowed time for downloading the database # timeout = 10 # # This plugin will report CorrelationAlert for events / sets of events # that appear to have passed through a firewall known to protect the # target machine. # # If no firewall ever emit block concerning a given host, then this host # is considered un-protected, and there is no point in reporting # CorrelationAlert. # # The 'flush-protected-hosts' variable allow you to define how much # time a given target hosts should be considered as protected when a # firewall drop is noticed for this machine. # # The plugin is disabled by default since it tend to be very verbose [FirewallPlugin] disable = True flush-protected-hosts = 3600 # [python_rules] # Python rules folder # paths = /etc/prelude-correlator/rules/python # Logging configuration might also be defined in this file: # http://docs.python.org/library/logging.html # Include additional configuration files [include] conf.d/*.conf