Feature: Merge inspector configs into one. (Redmine issue: #6949)

6ae1cdac · Rajmund Hruška · ac5e2122 · 6ae1cdac · ac5e2122 · 6ae1cdac
Commit 6ae1cdac authored 3 years ago by Rajmund Hruška
--- a/conf/mentat-controller.py.conf
+++ b/conf/mentat-controller.py.conf
@@ -52,25 +52,7 @@
        },
        #
-        # [CHAIN A]: Message inspection module - event validations
+        # [CHAIN A|ENTRY]: Message inspection module - event classifications and validations
-        #
-        {
-            "name": "mentat-inspector-b.py",
-            "exec": "mentat-inspector.py",
-            # Enable multiple instances working the same queue directory
-            #"paralel": true,
-            # In case of paralel mode, you MUST set the required number of instances
-            #"count": 3,
-            "args": [
-                # Enable debug information before daemonization
-                #"--debug"
-                # Force logging level ['debug', 'info', 'warning', 'error', 'critical']
-                #"--log-level=debug"
-            ]
-        },
-        #
-        # [CHAIN A|ENTRY]: Message inspection module - event classifications
        #
        {
            "exec": "mentat-inspector.py",

--- a/conf/mentat-inspector-b.py.conf
+++ b/conf/mentat-inspector-b.py.conf
-#-------------------------------------------------------------------------------
-#
-# CONFIGURATION FILE FOR MENTAT-INSPECTOR-B.PY MODULE
-#
-# Event validation module.
-#
-# This configuration attempts to perform event validation and basic attribute
-# sanity checks.
-#
-#-------------------------------------------------------------------------------
-{
-    #---------------------------------------------------------------------------
-    # Custom daemon configurations
-    #---------------------------------------------------------------------------
-    # List of the inspection rules. The rules will be processed in
-    # following order.
-    "inspection_rules":  [
-        {
-            "name": "Check: EventTime > DetectTime",
-            "rule": "exists EventTime and exists DetectTime and EventTime > DetectTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_DetectTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: CeaseTime > DetectTime",
-            "rule": "exists CeaseTime and exists DetectTime and CeaseTime > DetectTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "CeaseTime_gt_DetectTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: WinStartTime > DetectTime",
-            "rule": "exists WinStartTime and exists DetectTime and WinStartTime > DetectTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_DetectTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: DetectTime > CreateTime",
-            "rule": "exists DetectTime and exists CreateTime and DetectTime > CreateTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_gt_CreateTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: EventTime > CeaseTime",
-            "rule": "exists EventTime and exists CeaseTime and EventTime > CeaseTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_CeaseTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: WinStartTime > WinEndTime",
-            "rule": "exists WinStartTime and exists WinEndTime and WinStartTime > WinEndTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_WinEndTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: WinStartTime > EventTime",
-            "rule": "exists WinStartTime and exists EventTime and WinStartTime > EventTime",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_EventTime", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Source port and TCP/UDP",
-            "rule": "exists Source.Port and not (Source.Proto in ['tcp', 'udp'])",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Source_Port_and_missing_Proto", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Target port and TCP/UDP",
-            "rule": "exists Target.Port and not (Target.Proto in ['tcp', 'udp'])",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Target_Port_and_missing_Proto", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: DetectTime too old",
-            "rule": "DetectTime < (utcnow() - 3D00:00:00)",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_too_old", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: DetectTime in the future",
-            "rule": "DetectTime > (utcnow() + 01:00:00)",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_in_the_future", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Category Test only",
-            "rule": "Category is ['Test']",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_Test_only", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Category Unknown",
-            "rule": "not Category in ['Abusive', 'Abusive.Spam', 'Abusive.Harassment', 'Abusive.Child', 'Abusive.Sexual', 'Abusive.Violence', 'Malware', 'Malware.Virus', 'Malware.Worm', 'Malware.Trojan', 'Malware.Spyware', 'Malware.Dialer', 'Malware.Rootkit', 'Recon', 'Recon.Scanning', 'Recon.Sniffing', 'Recon.SocialEngineering', 'Recon.Searching', 'Attempt', 'Attempt.Exploit', 'Attempt.Login', 'Attempt.NewSignature', 'Intrusion', 'Intrusion.AdminCompromise', 'Intrusion.UserCompromise', 'Intrusion.AppCompromise', 'Intrusion.Botnet', 'Availability', 'Availability.DoS', 'Availability.DDoS', 'Availability.Sabotage', 'Availability.Outage', 'Information', 'Information.UnauthorizedAccess', 'Information.UnauthorizedModification', 'Fraud', 'Fraud.UnauthorizedUsage', 'Fraud.Copyright', 'Fraud.Masquerade', 'Fraud.Phishing', 'Fraud.Scam', 'Vulnerable', 'Vulnerable.Open', 'Vulnerable.Config', 'Anomaly', 'Anomaly.Traffic', 'Anomaly.Connection', 'Anomaly.Protocol', 'Anomaly.System', 'Anomaly.Application', 'Anomaly.Behaviour', 'Other', 'Test']",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_unknown", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Source Type Unknown",
-            "rule": "exists Source.Type and not Source.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'OriginBlacklist', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Source_Type_unknown", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Target Type Unknown",
-            "rule": "exists Target.Type and not Target.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Target_Type_unknown", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Node Type Unknown",
-            "rule": "exists Node.Type and not Node.Tag in ['Connection', 'Datagram', 'Content', 'Data', 'File', 'Flow', 'Log', 'Protocol', 'Host', 'Network', 'Correlation', 'External', 'Reporting', 'Blackhole', 'Signature', 'Statistical', 'Heuristic', 'Integrity', 'Policy', 'Honeypot', 'Tarpit', 'Recon', 'Monitor']",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Node_Type_unknown", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: ID suspiciously short",
-            "rule": "strlen(ID) < 8",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "ID_too_short", "unique": true}}
-            ]
-        },
-        {
-            "name": "Check: Description suspiciously short or missing",
-            "rule": "strlen(Description) < 8",
-            "actions": [
-                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Description_short_or_missing", "unique": true}}
-            ]
-        }
-    ],
-    # List of fallback actions, that will be performed with given message
-    # in case it does NOT match any of the inspection rules.
-    "fallback_actions": [],
-    #---------------------------------------------------------------------------
-    # Common piper daemon configurations
-    #---------------------------------------------------------------------------
-    #"queue_in_dir": "mentat-inspector-b.py",
-    "queue_out_dir": "mentat-enricher.py",
-    #"queue_in_wait": 3,
-    #"queue_out_wait": 10,
-    #"queue_out_limit": 5000,
-    #---------------------------------------------------------------------------
-    # Common daemon configurations
-    #---------------------------------------------------------------------------
-    #"no_daemon": false,
-    #"chroot-dir": null,
-    #"work_dir": "/",
-    #"pid_file": "/var/mentat/run/mentat-inspector-b.py.pid",
-    #"state_file": "/var/mentat/run/mentat-inspector-b.py.state",
-    #"umask": "0o002",
-    #"stats_interval": 300,
-    #"paralel": false,
-    #---------------------------------------------------------------------------
-    # Common application configurations
-    #---------------------------------------------------------------------------
-    #"quiet": false,
-    #"verbosity": 0,
-    #"log_file": "/var/mentat/log/mentat-inspector-b.py.log",
-    #"log_level": "info",
-    #"runlog_dir": "/var/mentat/run/mentat-inspector-b.py",
-    #"runlog_dump": false,
-    #"runlog_log": false,
-    #"pstate_file": "/var/mentat/run/mentat-inspector-b.py.pstate",
-    #"pstate_dump": false,
-    #"pstate_log": false,
-    #"action": null,
-    #"user": "mentat",
-    #"group": "mentat",
-    # This is a dummy last configuration so that the user does not have to fix
-    # the commas in the whole configuration file after each change.
-    "_dummy_": "_dummy_"
-}
--- a/conf/mentat-inspector.py.conf
+++ b/conf/mentat-inspector.py.conf
@@ -201,23 +201,145 @@
                {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "recon-scanning", "overwrite": false} },
                {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "low", "overwrite": false} }
            ]
+        },
+        {
+            "name": "Check: EventTime > DetectTime",
+            "rule": "exists EventTime and exists DetectTime and EventTime > DetectTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_DetectTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: CeaseTime > DetectTime",
+            "rule": "exists CeaseTime and exists DetectTime and CeaseTime > DetectTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "CeaseTime_gt_DetectTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: WinStartTime > DetectTime",
+            "rule": "exists WinStartTime and exists DetectTime and WinStartTime > DetectTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_DetectTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: DetectTime > CreateTime",
+            "rule": "exists DetectTime and exists CreateTime and DetectTime > CreateTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_gt_CreateTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: EventTime > CeaseTime",
+            "rule": "exists EventTime and exists CeaseTime and EventTime > CeaseTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_CeaseTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: WinStartTime > WinEndTime",
+            "rule": "exists WinStartTime and exists WinEndTime and WinStartTime > WinEndTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_WinEndTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: WinStartTime > EventTime",
+            "rule": "exists WinStartTime and exists EventTime and WinStartTime > EventTime",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_EventTime", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Source port and TCP/UDP",
+            "rule": "exists Source.Port and not (Source.Proto in ['tcp', 'udp'])",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Source_Port_and_missing_Proto", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Target port and TCP/UDP",
+            "rule": "exists Target.Port and not (Target.Proto in ['tcp', 'udp'])",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Target_Port_and_missing_Proto", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: DetectTime too old",
+            "rule": "DetectTime < (utcnow() - 3D00:00:00)",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_too_old", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: DetectTime in the future",
+            "rule": "DetectTime > (utcnow() + 01:00:00)",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_in_the_future", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Category Test only",
+            "rule": "Category is ['Test']",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_Test_only", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Category Unknown",
+            "rule": "not Category in ['Abusive', 'Abusive.Spam', 'Abusive.Harassment', 'Abusive.Child', 'Abusive.Sexual', 'Abusive.Violence', 'Malware', 'Malware.Virus', 'Malware.Worm', 'Malware.Trojan', 'Malware.Spyware', 'Malware.Dialer', 'Malware.Rootkit', 'Recon', 'Recon.Scanning', 'Recon.Sniffing', 'Recon.SocialEngineering', 'Recon.Searching', 'Attempt', 'Attempt.Exploit', 'Attempt.Login', 'Attempt.NewSignature', 'Intrusion', 'Intrusion.AdminCompromise', 'Intrusion.UserCompromise', 'Intrusion.AppCompromise', 'Intrusion.Botnet', 'Availability', 'Availability.DoS', 'Availability.DDoS', 'Availability.Sabotage', 'Availability.Outage', 'Information', 'Information.UnauthorizedAccess', 'Information.UnauthorizedModification', 'Fraud', 'Fraud.UnauthorizedUsage', 'Fraud.Copyright', 'Fraud.Masquerade', 'Fraud.Phishing', 'Fraud.Scam', 'Vulnerable', 'Vulnerable.Open', 'Vulnerable.Config', 'Anomaly', 'Anomaly.Traffic', 'Anomaly.Connection', 'Anomaly.Protocol', 'Anomaly.System', 'Anomaly.Application', 'Anomaly.Behaviour', 'Other', 'Test']",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_unknown", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Source Type Unknown",
+            "rule": "exists Source.Type and not Source.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'OriginBlacklist', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Source_Type_unknown", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Target Type Unknown",
+            "rule": "exists Target.Type and not Target.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Target_Type_unknown", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Node Type Unknown",
+            "rule": "exists Node.Type and not Node.Tag in ['Connection', 'Datagram', 'Content', 'Data', 'File', 'Flow', 'Log', 'Protocol', 'Host', 'Network', 'Correlation', 'External', 'Reporting', 'Blackhole', 'Signature', 'Statistical', 'Heuristic', 'Integrity', 'Policy', 'Honeypot', 'Tarpit', 'Recon', 'Monitor']",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Node_Type_unknown", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: ID suspiciously short",
+            "rule": "strlen(ID) < 8",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "ID_too_short", "unique": true}}
+            ]
+        },
+        {
+            "name": "Check: Description suspiciously short or missing",
+            "rule": "strlen(Description) < 8",
+            "actions": [
+                {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Description_short_or_missing", "unique": true}}
+            ]
        }
    ],
    # List of fallback actions, that will be performed with given message
    # in case it does NOT match any of the inspection rules.
-    "fallback_actions": [
+    "fallback_actions": [],
-        {"action": "log", "args": {"label":"Fallback rule match, event did not match any of the classification rules"}}
-    ],
    #---------------------------------------------------------------------------
    # Common piper daemon configurations
    #---------------------------------------------------------------------------
    #"queue_in_dir": "mentat-inspector.py",
-    "queue_out_dir": "mentat-inspector-b.py",
+    "queue_out_dir": "mentat-enricher.py",
    #"queue_in_wait": 3,
    #"queue_out_wait": 10,
    #"queue_out_limit": 5000,

--- a/doc/sphinx/_doclib/administration.rst
+++ b/doc/sphinx/_doclib/administration.rst
@@ -201,8 +201,8 @@ To enable these scripts please configure them to be launched periodically via
    going suddenly offline.
 ``/etc/mentat/scripts/mentat-check-inspectionerrors.sh``
    Query the IDEA event database and detect list of all inspection errors along
-    with example events. One of the :ref:`section-bin-mentat-inspector` modules
+    with example events. The :ref:`section-bin-mentat-inspector` module
-    is by default configured to perform event sanity inspection and logs errors
+    is by default configured to perform event sanity inspection and logging errors
    it finds directly into the event. This script can provide summary of all
    current inspection errors, so you can go and fix malfunctioning detectors.
 ``/etc/mentat/scripts/mentat-check-noeventclass.sh``
@@ -262,7 +262,6 @@ of Mentat modules:
    2018-09-26 13:31:17,981 INFO: Status of configured Mentat real-time modules:
    2018-09-26 13:31:17,981 INFO: Real-time module 'mentat-storage.py': 'Process is running or service is OK (1)'
    2018-09-26 13:31:17,981 INFO: Real-time module 'mentat-enricher.py': 'Process is running or service is OK (1)'
-    2018-09-26 13:31:17,982 INFO: Real-time module 'mentat-inspector-b.py': 'Process is running or service is OK (1)'
    2018-09-26 13:31:17,982 INFO: Real-time module 'mentat-inspector.py': 'Process is running or service is OK (1)'
    2018-09-26 13:31:17,982 INFO: Overall real-time module status: 'All modules are running OK'
    2018-09-26 13:31:17,982 INFO: Status of configured Mentat cronjob modules:
@@ -304,10 +303,6 @@ the following as your NRPE configuration:
    command[check_mentat_inspector_a_pending_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-inspector.py/pending -w 100 -c 1000
    command[check_mentat_inspector_a_incoming_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-inspector.py/incoming -w 5000 -c 10000
-    command[check_mentat_inspector_b_errors_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-inspector-b.py/errors -w 100 -c 1000
-    command[check_mentat_inspector_b_pending_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-inspector-b.py/pending -w 100 -c 1000
-    command[check_mentat_inspector_b_incoming_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-inspector-b.py/incoming -w 5000 -c 10000
    command[check_mentat_enricher_errors_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-enricher.py/errors -w 100 -c 1000
    command[check_mentat_enricher_pending_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-enricher.py/pending -w 100 -c 1000
    command[check_mentat_enricher_incoming_dir]=/usr/lib/nagios/plugins/check_file_count -d /var/mentat/spool/mentat-enricher.py/incoming -w 5000 -c 10000

--- a/doc/sphinx/_doclib/migration.rst
+++ b/doc/sphinx/_doclib/migration.rst
@@ -182,11 +182,9 @@ sure everything is in order.
    #         processing modules by inspecting the log files. Look for obvious
    #         errors and warnings.
    tail -f /var/mentat/log/mentat-inspector.py.log
-    tail -f /var/mentat/log/mentat-inspector-b.py.log
    tail -f /var/mentat/log/mentat-enricher.py.log
    tail -f /var/mentat/log/mentat-storage.py.log
    grep ERROR /var/mentat/log/mentat-inspector.py.log
-    grep ERROR /var/mentat/log/mentat-inspector-b.py.log
    grep ERROR /var/mentat/log/mentat-enricher.py.log
    grep ERROR /var/mentat/log/mentat-storage.py.log

--- a/lib/mentat/module/controller.py
+++ b/lib/mentat/module/controller.py
@@ -60,7 +60,7 @@ Usage examples
    # Work with particular modules.
    mentat-controller.py --command start --target mentat-storage.py
    mentat-controller.py --command stop --target mentat-enricher.py mentat-inspector.py
-    mentat-controller.py --command signal-usr1 --target mentat-inspector-b.py
+    mentat-controller.py --command signal-usr1 --target mentat-inspector.py
 Available script commands