Prewikka User Manual

Version 1 Dec. 08

copyright 2009 PreludeIDS Technologies

Socit Responsabilit Limite - SIRET : 48111494000010 - 2 rue David Girin 69002 Lyon FRANCE - Tl : +33(0)950702158 - Fax : +33(0)955702158 - Email : info@prelude-ids.com - Web : www.prelude-ids.com

Prewikka User Manual

2/15

Content

I. Overview II. Core Features

1. Prewikka functionality 2. PrewikkaPro functionality

III. Getting Started

1. Technical Requirements a. A current Web browser on your computer b. Enable Java Script and cookie support on your Web browser c. Network access to a server that is running the Prewikka software 2. Accessing Prewikka a. To log into the system: b. To log out the system: 3. Setting Your Preferences a. Language setting b. Password modification 4. Session Timeout 6

IV. Overview of the Prewikka User Interface V. Using Prewikka

1. Events a. Events display b. Event Tabs c. Filtering Tools d. Event listing automatic refresh e. Delete events f. PDF Export (PrewikkaPro only) 2. Agents a. The Agents tab: which displays all the agents information b. The Heartbeats tab: which displays the Heartbeats listing 3. Tickets (PrewikkaPro only) a. Ticket creation b. Ticket management 4. Statistics (PrewikkaPro only) a. Statistics display b. Filtering tools c. Statistics tabs 5. Settings a. The Views tab (PrewikkaPro only) b. The Filters tab c. The My account tab d. The User listing tab 6. About

9 10 11

12

13

14 15

Prewikka User Manual

3/15

Prewikka User Manual

4/15

I. Overview
Prewikka is the official Prelude User Interface. The Prewikka interface is a web GUI compatible with IE, Firefox, Opera, Konqueror, Safari, Chrome and webkit based browsers. Prewikka is open source and is released under GPL license. Prewikka has been developped in Python language. Prelude supports real-time visualization of data thanks to Prewikka which provides automatic reloading of the event listing. PrewikkaPro, the commercial version of Prewikka provides additional functionality. It is available through the PreludeIDS company. Learn more about PrewikkaPro
Caution: All the Prewikka and PrewikkaPro functionality are listed in this manual. So if you don't see all these functionality on your own system, this is because either you use Prewikka and you are reading about a PrewikkaPro functionality, or you don't have the necessary permissions in Prewikka to see / use it.

II. Core Features

Below are listed the Prewikka and PrewikkaPro main functionality. More details and pictures are available on the PreludeIDS website: Prewikka(Pro) page 1. Prewikka functionality

Advanced Aggregation System Permission management Filter creation Sensor monitoring Event listing automatic refresh

2. PrewikkaPro functionality PrewikkaPro is the commercial version of Prewikka. Remote Sensor Management Advanced Ticket System Graphical Fully Interactive Statistics Ability to Create Virtual Alert "Views" Alert Listing PDF Export Secured Authentication from LDAP server

III. Getting Started

1. Technical Requirements Before you begin using the Prewikka interface, ensure that you have the required software installed and configured on your system as follows:

Prewikka User Manual

5/15

a. A current Web browser on your computer Prewikka is compatible with:

Microsoft IE - www.microsoft.com/ie Firefox - www.mozilla.org/firefox Opera - www.opera.com Konqueror - www.konqueror.org Safari - www.apple.com/safari/ Google Chrome - www.google.com/chrome and webkit based browsers

You may encounter problems if you try to access Prewikka using old Web browser versions. b. Enable Java Script and cookie support on your Web browser Both Java Script and cookie support must be enabled in the security settings of your browser and is usually turned on by default. If you encounter problems accessing the system, check your browser configuration to ensure both Java Script support and cookie support are enabled as follows: IE: Click Tools > Internet Options > Privacy and Security tabs Firefox: Click Tools > Options > Privacy and Web Features tabs c. Network access to a server that is running the Prewikka software Your system or network administrator can provide you with a Web address (URL) from which the system can be accessed. 2. Accessing Prewikka You access Prewikka through a Web browser. a. To log into the system: 1. Enter the Prewikka URL in the address bar of your Web browser. The Login window displays on the page. If the login screen does not display, verify that you have typed the URL correctly, or contact your system administrator to verify that you have the correct URL 2. Enter your login and password. The system administrator assigns a login and password to every system user. If you have not received your login and password, contact your system administrator. b. To log out the system: Click the Logout link located at the top right side of the page.

Prewikka User Manual

6/15

3. Setting Your Preferences The administrator configures the system settings for all users in the organization. This includes password, permission settings as well as language. On your My Account page, you can view the settings that the administrator has configured for you. As a user, you can edit some of these settings, such as your preferred language and your password. To set your language and password, click your User Name link located at the top right side of the page. a. Language setting Choose the appropriate language: English, Espaol, Franais, Polski, Portuguese (Brazilian), b. Password modification At the bottom of the page, fill your current password, fill your new password, and fill the new password confirmation. Then click Submit Changes. 4. Session Timeout For security reasons, the system automatically logs you out of the interface if you don't perform any tasks during one hour (default configuration). This doesn't happen if the event listing automatic refresh is activated and the refresh time is less than one hour.

Prewikka User Manual

7/15

IV. Overview of the Prewikka User Interface

V. Using Prewikka
1. Events a. Events display The events are displayed with four different colors. Green is for low severity, orange is for medium severity, red is for high severity and blue is for information. Prewikka aggregates automatically the events according to their origin, destination, and time of occurrence. The aggregated events are displayed in a single row preceded by the number of events included.

Prewikka User Manual

8/15

To see the event details:

Click the name of the event In the case of aggregated events, expand the list of events by clicking the aggregated event name, then click the event of which you want the details

To get more information about an event, click on the different links below its name: vendorspecific, cve, bugtraqid, etc. To get more information about sources and targets:

Click the url to choose between filter on this url or see the whois Click the port to see the Port Lookup

To define the number of events per page you can set the Limit parameter in the Control Panel on the bottom left of the screen. To navigate through pages use the Events Navigation panel on the very bottom left of the screen. b. Event Tabs In the Events section, there are three tabs by default:

The Alerts tab: which displays the alert listing The CorrelationAlerts tab: which displays the correlation alert listing

The CorrelationAlert class (IDMEF) carries additional information related to the correlation of alert information. It is intended to group one or more previously-sent alerts together, to say "these alerts are all related". Prelude-Correlator must be installed and set in order to receive correlation alerts. Learn more about Installing Prelude Correlator. In Prewikka all correlation alerts are automatically displayed in the CorrelationAlerts tab.

The ToolAlerts tab: which displays the tool alert listing

The ToolAlert class (IDMEF) carries additional information related to the use of attack tools or malevolent programs such as Trojan horses and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool". In Prewikka all tool alerts are automatically displayed in the ToolAlerts tab. (ex: Nessus alerts) With the PrewikkaPro version you can create your own customized tabs. Learn more about this functionnality in the Views tab subchapter in the Settings chapter (p. 14). c. Filtering Tools Filtering tools are based on IDMEF Criteria. You must know the IDMEF Criteria syntax to use Prewikka filtering tools.
Prewikka User Manual 9/15

There are three ways to filter events in Prewikka:

The Classification, Source, Target and Sensor filters

By clicking Filter Controls in the header of the alert listing table, you get a form which provides you with multiple filtering options. Ex: By clicking 'Classification' you get multiple options as: Type, Severity, Completion, etc.

The Time filter

On the bottom left of the screen, you will find the Control Panel which will allow you to set the Period and Timezone parameters. The Period setting allows you to define the time period you want to display from one minute to an unlimited period of time. The Timezone setting allows you to choose three different time frames: frontend localtime, sensor localtime and UTC. Once you have set your preferences, you must click the Apply button or the Save button. The current period and timezone are displayed below the Apply and Save buttons. You can switch periods by clicking the Prev, Current, and Next buttons.

The Advanced Saved filters

On the bottom left of the screen, you will find the Control Panel which will allow you to load a previously saved filter with the Filter parameter. To load a saved filter you must choose it with the Filter parameter and click the Apply button or the Save button. This kind of advanced filter can be created and saved in the Settings section, in the Filters tab. Learn more about this functionality in the Filters tab subchapter in the Settings chapter (p. 14). d. Event listing automatic refresh The Control Panel on the bottom left of the screen allows you to set the auto refresh functionality through the Refresh parameter. First fill the refresh period field, then click the play/pause button. Click the Save button to keep your changes for future uses. e. Delete events On the bottom right of the alert listing, you will find the Delete button. Select the events you want to delete by checking the corresponding boxes on the right of the event listing. Or check the box on the right of the Delete button to select all the events. Then click Delete.

Prewikka User Manual

10/15

f. PDF Export (PrewikkaPro only) The PDF Export feature is available in PrewikkaPro only. On the bottom left of the alert listing, you will find the Generate PDF on this view button. Click this button to export the current alert listing view in a PDF file. 2. Agents The Agents section ables you to manage and monitor your analyzers. In the Agents section, there are two tabs by default: a. The Agents tab: which displays all the agents information Agents are grouped by location. For each location, are displayed the number of nodes, the number of analyzers and the analyzers status: online (green), offline error (red), offline - normal status (orange). By clicking on the location name, you get the nodes listing with the node name, its IP address, the OS running on it, the version of the OS and the number and status of its analyzers. By clicking on the number of analyzers in the nodes listing, you get the analyzers listing. To get more information about a analyzer, click on its name and you will get a pop up menu:

Alert listing: All the alerts sent by this analyzer Heartbeat listing: All the heartbeats emitted by this analyzer Heartbeat analysis: Displays potential heartbeat anomalies Configure (PrewikkaPro only): allow you to configure your analyzer (ex: heartbeat-interval, analyzer-name, node-name, node-location, etc.) b. The Heartbeats tab: which displays the Heartbeats listing

The Heartbeats tab works as the Events one. To get more information about a heartbeat, click on its name, its node address, its node name or its model. 3. Tickets (PrewikkaPro only) The PrewikkaPro Advanced Ticket System is a system of assigning responsibilities for event handling. a. Ticket creation: To create a ticket for one or more events, you must click on new ticket in the Time column of the events listing in the Events section. Once done, you get the ticket creation page. The upper box is to select / unselect the ticket creation criteria: Classification, Source Address, Target Address, From (time), To (time). By default, all criteria are checked for the selected event so one ticket will be created for this event only. If you uncheck one or more criteria, tickets will automatically be created according to the remaining checked criteria.

Prewikka User Manual

11/15

To create a new ticket fill the Create a new ticket box fields: Summary, Description, Priority, Assigned to. Only the Summary field is required. Then click the Submit button. The ticket is created and you are redirected to the ticket summary page. To apply the new selected criteria (Conditions) to an existing ticket, just select the existing ticket name in the Attach to existing ticket box. Then click the Submit button. The ticket is updated and you are redirected to the ticket summary page. b. Ticket management: The Tickets section displays the tickets listing. Each ticket is colored according to its priority : Low (green), Medium (yellow), High (red). You can shake up your ticket listing by clicking Priority or Create time in the table header. The ticket listing can be filtered according to the Status, Priority and/or Keyword criteria. By clicking the ticket identification number you can modify the ticket details:

Add a comment, change its name, the assign to parameter, its priority and the resolution status (Fixed / False positive). When several conditions have been attached to a same ticket, you can select the condition you want to delete in the Conditions box, then click the Delete selected button.

To delete a ticket, select it in the tickets listing and click the Delete ticket button.

4. Statistics (PrewikkaPro only) a. Statistics display PrewikkaPro statistics are fully interactive. All the charts are displayed with their data table at their right. By clicking on a chart section or on a data table input, you will get the related alert listing. b. Filtering tools On the bottom left of the screen, you will find the Control Panel which will allow you to set the Filter and Time. The Filter setting allows you to load a previously saved filter. This kind of advanced filter can be created and saved in the Settings section, in the Filters tab. Learn more about this functionality in the Filters tab subchapter in the Settings chapter (p. 14). The Time setting allows you to define the time period you want to display: Hour (the last 60 minutes), Day (the last 24 hours), Month (the last 30 days) and Custom which able you to set the From and To time in the fields bellow. Once you have set your preferences, you must click the Apply button or the Save button.

Prewikka User Manual

12/15

c. Statistics tabs In the Statistics section, you will find five tabs:

The Categorizations tab

In this tab there are three pie charts: Top 10 Alert Classifications, Alert Severities and Alert Impact Types charts.

The Sources tab

In this tab there are two pie charts: Top 10 Source Addresses and Top 10 Source Country charts.

The Targets tab

In this tab there are two pie charts: Top 10 Targeted Addresses and Top 10 Targeted Ports charts.

The Analyzers tab

In this tab there are five pie charts: Top 10 analyzers, Top 10 Analyzer Models, Top 10 Analyzer Classes, Top 10 Analyzer Node Addresses and Top 10 Analyzer Node Locations charts.

The Timeline tab

In this tab there is one bar chart: the Timeline repartition chart. In the Month view, each bar is one day. In the Day view, each bar is one hour. In the Hour view, each bar is a minute. By clicking on a bar in the Month view you will access the Day view, then you will access the Hour view, then you will access the alert listing from the minute of the bar for the Period set in the control panel of the event listing. 5. Settings In the Settings section, you will find four tabs: a. The Views tab (PrewikkaPro only): The Views tab allows you to create your own customized tabs in any sections of the interface.

Manage your virtual views

The Available views box allows you to load or delete existing views.

Create a virtual views

In the View parameters box, fill your new view name, select between Alerts view or Heartbeat view according to the kind of view you want to create, choose the section where this view will be available (Events, Agents, Tickets, Statistics, Settings or About), then click the save button. Once done, go to the section where your new view is available, click on the tab with the name of your view, then apply the necessary filtering tools (as it is shown in the Filtering tools subchapter in the Events chapter: p. 10) and in the control panel on the bottom left of the screen, click the Save button. Your new view is configured.

Prewikka User Manual

13/15

b. The Filters tab: The Filters tab allows you to create your own advanced filters and to create Asset Groups. Advanced filters are based on IDMEF Criteria. You must know the IDMEF Criteria syntax to use Prewikka filtering tools. Asset Groups contain values that can be associated with any IDMEF fields. Example: you can define an asset group with the name DMZ, containing the value IP1 IP2 IP3 IP4. (This DMZ asset group can be used as a filter)

Create and manage your advanced filters:

Check the box Make a new filter on the top of the page. The Available filters box allows you to load or delete existing filters. In the Add / Modify box, select the Filter Type of your filter (Alert, Heartbeat, Generic (Alert and Heartbeat). Then you can create or add filter rules. In the first field, select the variable. In the second field, select the operator, and then fill the value. You can create only one rule, or several rules. In this case click on the + symbol on the right of the last rule you have just created to add a new rule. On the contrary, click on the - symbol to delete a previously created rule. Once you have created all the rules you want, you can define the Formula of the filter rules. You have to use boolean (AND/OR) to fill this field. Once done, give your filter a Name, and finally a Comment if you wish to, click the Save button. Your new filter is configured.

Create and manage your asset groups:

Check the box Make a new asset group on the top of the page. The ''Available asset groups'' box allows you to load or delete existing asset groups. In the Add / Modify box, fill the name and the value of your asset group, click the Save button. Your new asset group is configured. c. The My account tab: The My account tab allows you to set your preferences and see your permissions. To learn how to set your language and password see the Setting your preferences subchapter on the Prewikka Manual chapter Prohibitive Filter:

Prewikka User Manual

14/15

Permissions: In the My account tab you will see your permissions. If you don't have the USER_MANAGEMENT permission, you won't be able to edit your permissions. Below is the list of permissions:
Events and Heartbeats management permissions: IDMEF_VIEW: Access to Events and Agents sections. IDMEF_ALTER: Delete events and heartbeats permission Tickets section permissions (PrewikkaPro only): TICKET_VIEW: Access to the Tickets section TICKET_CREATE: Ticket creation permission TICKET_ALTER: Ticket modification and deletion permission Remote Sensor Management permission (PrewikkaPro only): ADMIN_CONSOLE: Access the agents configuration page in the Agents section. User Management permission: USER_MANAGEMENT: Create / Modify / Delete user accounts in the Settings section.

Command permissions: COMMAND: Command permission in PrewikkaPro INTRUSIVE_COMMAND: Intrusive command permission in PrewikkaPro
Asset Group permissions: ASSET_GROUP_CREATE: Asset groups creation permission ASSET_GROUP_ALTER: Asset groups modification and deletion permission

d. The User listing tab: The User listing tab, allows you to create or delete users as well as to see each user permissions. To delete an user, select it by checking the box on the right then click the Delete user button. To create an user, click the Create user button. You are then redirected to the Account information page. Fill the login field, select the language, check the boxes corresponding to the permissions you want to grant, or if you want to grant all permissions, check the Check All box. Then add the password in New password and Confirmation new password fields. Click the Submit Changes button. 6. About In the About section, you will find the version number of your Prewikka, a description of the services provided by the PreludeIDS Technologies company, and the company contact details.

Prewikka User Manual

15/15