1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
Gentoo Linux Documentation -- Prelude Intrusion Detection System</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Gentoo Linux Documentation -- Prelude Intrusion Detection System</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. About Prelude</option>
<option value="#doc_chap2">2. Installing Prelude</option>
<option value="#doc_chap3">3. Configuring Prelude</option>
<option value="#doc_chap4">4. Installing Sensors</option>
<option value="#doc_chap5">5. Post Installation</option>
<option value="#doc_chap6">6. Running and Managing Prelude</option>
<option value="#doc_chap7">7. Credits</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>About Prelude</p>
<p class="secthead"><a name="doc_chap1_sect1">Background Information</a></p>
<p>
Prelude was founded and writen by Yoann Vandoorselaere in 1998. Many others have also greatly contributed to it.
</p>
<p>
Prelude is a hybrid intrustion detection system that will detect and monitor security instrusions, whether they happen in an attack mobilized over the Internet or an attack mobilzed locally. The monitoring work that Prelude does is made possible via an LML (Log Monitoring Lackey). Prelude can also utilize the rulesets from intrusion detection systems such as Snort.
</p>
<p class="secthead"><a name="doc_chap1_sect2">What Are the Components?</a></p>
<ul><li>
<span class="path" dir="ltr">prelude-manager</span> : The manager is the place where all the main logging is done. When the manager receives a signal from the sensors, it logs the signal so the user can investigate. Logging can either be done to a file or to a datebase such as MySQL. The latter is the recommended solution.</li></ul>
<ul><li>
<span class="path" dir="ltr">prelude-nids</span> : NIDS is a plugin for Prelude and stands for Network Intrusion Detection System. The prelude-nids package should definately be used along side Prelude proper, but is not mandatory. The NIDS package also provides for functionality like that of <a href="http://snort.org">Snort</a>
</li></ul>
<ul><li>
<span class="path" dir="ltr">prelude-lml</span> : The LML stands for Log Monitoring Lackey. Like the NIDS, it is also a sensor. The LML watches your logfiles and looks for anything out of the ordinary. Should abnormalities be found, an alert is sent to the manager.</li></ul>
<ul><li>
<span class="path" dir="ltr">libprelude</span> : libprelude provides for the libraries necessary in order for the manager to be able to talk to the other plugins. It also provides the sensors with extra features.</li></ul>
<ul><li>
<span class="path" dir="ltr">piwi</span> : PIWI stands for Prelude Intrusion (Detection System) Web Interface. The title pretty much describes the said package; it is an interface powered by perl that can help the end user manage their rules and see when attacks are happening or have happened.</li></ul>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Installing Prelude</p>
<p class="secthead"><a name="doc_chap2_sect1">Emerging the Packages</a></p>
<p>
We will now begin by adding <span class="path" dir="ltr">ssl</span> to our <span class="path" dir="ltr">make.conf</span>, then emerging each of the packages described above.
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: /etc/make.conf</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">You do not have to delete other entries from your USE, just add ssl.</span>
USE="ssl"
</pre></td></tr>
</table>
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Starting the Emerges</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Emerging the libraries.</span>
# <span class="code-input">emerge libprelude</span>
<span class="code-comment">Now for the log lackey.</span>
# <span class="code-input">emerge prelude-lml</span>
<span class="code-comment">Installing the Network Intrustion Detection System</span>
# <span class="code-input">emerge prelude-nids</span>
<span class="code-comment">Now for the most important component: The manager.</span>
# <span class="code-input">emerge prelude-manager</span>
<span class="code-comment">Lastly, we will install PIWI.</span>
# <span class="code-input">emerge piwi</span>
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>Configuring Prelude</p>
<p class="secthead"><a name="doc_chap3_sect1">Setting up the Manager</a></p>
<p>
We will now edit the Manager's main configuration file, <span class="path" dir="ltr">prelude-manager.conf</span>. Two of the most important settings are for changing where Prelude will listen. For instance, if you have two IPs but only one Prelude to listen on one of them, you would supply the said IP in the configuration.</p>
<a name="doc_chap3_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.1: /etc/prelude-manager/prelude-manager.conf</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# Sensor Server is listening on any IP
sensors-srvr = 0.0.0.0;
# Admin Server is listening on any IP
admin-srvr = 0.0.0.0;
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap3_sect2">Setting up the Database</a></p>
<p>
If you want to set up Prelude to work with its backend being a database like MySQL or PostgreSQL (and believe me, you do), then you will want to continue with this section. If you really and truly would rather use plaintext logging, then you can skip this section.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Your SQL server, whether it be MySQL or PostgreSQL, needs to be running before you proceed.</p></td></tr></table>
<a name="doc_chap3_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.2: Creating the Database</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">/usr/bin/prelude-manager-db-create.sh</span>
Prelude Database Support Installation
=====================================
*** Phase 0/7 ***
Warning: if you want to use database support with prelude
You should dedicate the database for this job only.
So if you ever have a database running for another job
please think about taking it away, because this script
will install prelude as a dedicated database and you
could meet some troubles with your old bases.
<span class="code-comment">Since we want database support, we are going to say "y" here.</span>
Do you want to install a dedicated database for prelude ?
(y)es / (n)o : y
*** Phase 1/7 ***
<span class="code-comment">Here you can either chose to have your database be MySQL (mysql) or
PostgreSQL (pgsql). I'll be choosing MySQL.</span>
Enter the type of the database [mysql|pgsql]: mysql
*** Phase 2/7 ***
<span class="code-comment">Unless you are going to be running the MySQL server on a different
box than Prelude, just hit ENTER here to choose "localhost".</span>
Enter the name of the host where the database is running [localhost]:
*** Phase 3/7 ***
<span class="code-comment">3306 is the default port for MySQL, so unless you plan on running
the MySQL daemon on a different port, then just hit ENTER here.</span>
Enter the port where the database is running [3306]:
*** Phase 4/7 ***
<span class="code-comment">Hit ENTER here to have the database that stores all the information
that Prelude keeps track of be named "prelude".</span>
Enter the name of the database that should be created to stock alerts [prelude]:
*** Phase 5/7 ***
<span class="code-comment">You can go ahead and hit ENTER here unless you have your MySQL super-user
set up under a different name.</span>
This installation script has to connect to your mysql database in order to creat
e a user dedicated to stock prelude's alerts
What is the database administrative user ? [root]:
We need the password of the admin user "root" to log on the database.
By default under mysql, root has an empty password.
Please enter a password:
Please confirm entered password:
*** Phase 6/7 ***
We need to create a database user account that will be used by the Prelude Manag
er in order to access the "prelude" database.
Username to create [prelude] :
We need to set a password for this special "prelude" account.
This password will have to be used by prelude-manager to access the database.
Please enter a password:
Please confirm entered password:
*** Phase 7/7 ***
Please confirm those information before processing :
Database name : prelude
Database admin user: root
Database admin password: (not shown)
prelude owner user: prelude
prelude owner password: (not shown)
Is everything okay ? (yes/no) : yes
Creating the database prelude...
Creating user "prelude" for database "prelude",
using "root" to connect to the database.
Creating tables with /usr/share/prelude-manager/mysql/mysql.sql
-------------- End of Database Support Installation -------------
If it succeeded, you should now be able to launch prelude-manager like that :
==> prelude-manager --mysql --dbhost localhost --dbname prelude --dbuser pre
lude --dbpass xxxxxx
Or you may modify the prelude-manager configuration file (/usr/local/etc/prelude
-manager/prelude-manager.conf by default) in order to launch prelude-manager wit
hout database arguments:
---------- cut here --->
[MySQL]
# Host the database is listening on.
dbhost = localhost;
# Port the database is listening on.
dbport = 3306;
# Name of the database.
dbname = prelude;
# Username to be used to connect the database.
dbuser = prelude;
# Password used to connect the database.
dbpass = xxxxxx;
<--- cut here ----------
Replace xxxxxx by the password you choose for the manager account
-----------------------------------------------------------------
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap3_sect3">NIDS Configuration</a></p>
<p>
Now we just need to set up NIDS so it knows which ethernet device to monitor.</p>
<a name="doc_chap3_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing3.3: /etc/conf.d/prelude-nids</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Change eth0 to match the ethernet device to be monitored.</span>
OPTIONS="-i eth0"
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>Installing Sensors</p>
<p class="secthead"><a name="doc_chap4_sect1">Prerequisit Configuration</a></p>
<p>
We will now be setting up the default configuration for the sensors in the <span class="path" dir="ltr">/etc/prelude-sensors/sensors-default.conf</span> file. This will be used globally for the sensors. You can edit the below and then place it in the configuration file.
</p>
<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: /etc/prelude-sensors/sensors-default.conf</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"># Replace this with the IP of the manager.</span>
manager-addr = 192.168.0.1;
<span class="code-comment"># Here you will want to fill in your full hostname.</span>
node-name = yourbox.yourdomain.com;
<span class="code-comment"># This is just a plaintext descriptor. You can put almost anything here.</span>
node-location = Rack 2, Server 5. Monitoring Network A from an SPAN port on switch 28A;
[Node Adress]
<span class="code-comment"># The IP address of the box Prelude is being set up on.</span>
address = 192.168.0.1;
<span class="code-comment"># The netmask for the box.</span>
netmask = 255.255.255.0;
</pre></td></tr>
</table>
<p>
We will now be adding our sensors to the manager. There are two ways of setting up the manager to talk to the sensors: via an SSL encrypted connection and via an unencrypted connection. The only time when you will want to opt for the latter is when the manager and the sensor are on the same box.</p>
<p class="secthead"><a name="doc_chap4_sect2">Installing the NIDS Sensor</a></p>
<p>
We will now run the necessary commands to set up the SSL connection.
</p>
<a name="doc_chap4_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.2: Setting Up the Encrypted Connection</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">manager-adduser</span>
No Manager key exist... Building Manager private key...
<span class="code-comment">How many bits should the encryption be? I would recommend just hitting
ENTER here.</span>
What keysize do you want [1024] ?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<span class="code-comment">Here you can hit ENTER again to select a key that does not expire.</span>
Key is valid for [0] :
Key length : 1024
Expire : Never
<span class="code-comment">Granted everything is okay, type in "yes" and hit enter.</span>
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
................++++++
...........................++++++
Writing new private key to '/etc/prelude-manager/prelude-manager.key'.
Adding self signed Certificate to '/etc/prelude-manager/prelude-manager.key'
<span class="code-comment">This password is VERY important. Do NOT lose it until you've completed the sensor-adduser.</span>
Generated one-shot password is "p=7f6N7+".
This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.
waiting for install request from Prelude sensors...
<span class="code-comment">Do not close this terminal! Leave it open an open another session to
continue the guide.</span>
</pre></td></tr>
</table>
<p>
Now open up another terminal if you have not already done so and proceed to add the sensor user. Right now we will be adding the user for the NIDS component to Prelude.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Remeber that if both the sensor and the manager are running on the same machine, it is important to specify the machines ethernet IP, not <span class="path" dir="ltr">127.0.0.1</span>. If you specify <span class="path" dir="ltr">127.0.0.1</span>, <span class="code" dir="ltr">sensor-adduser</span> will default to an unencrypted connection.<br><br>However, if you do not want to use SSL, specify the said IP.
</p></td></tr></table>
<a name="doc_chap4_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.3: Adding the Sensor User</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment"> You will want to change "192.168.1.102" if the manager is on a different IP.</span>
# <span class="code-input">sensor-adduser -s prelude-nids -m 192.168.1.102 -u 0</span>
Now please start "manager-adduser" on the Manager host where
you wish to add the new user.
Please remember that you should call "sensor-adduser" for each configured
Manager entry.
<span class="code-comment">We have already done this; hit ENTER.</span>
Press enter when done.
Please use the one-shot password provided by the "manager-adduser" program.
<span class="code-comment">Enter that password that I talked about above. I hope you did not lose it ;).
Also, be aware that while I am going to fill in the fields here, the password will
not echo back to you.</span>
Enter registration one shot password : p=7f6N7+
Please confirm one shot password : p=7f6N7+
<span class="code-comment">If you do not see that the connection suceeded then you closed the terminal
that I told you not to. Remove /etc/prelude-manager/prelude-manager.key and start
again with manager-adduser.</span>
connecting to Manager host (127.0.0.1:5553)... Succeeded.
What keysize do you want [1024] ? 1024
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
Key is valid for [0] : 0
Key length : 1024
Expire : Never
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...........++++++
........................................++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-nids-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-nids-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-nids@yourbox: 1057315311.
</pre></td></tr>
</table>
<p>
Now switch back to the terminal with manager-adduser running in it. You should see output that resembles that below.
</p>
<a name="doc_chap4_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.4: manager-adduser Output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
Connection from 192.168.1.102.
sensor choose to use SSL communication method.
Writing Prelude certificate to /etc/prelude-manager/prelude-sensors.cert
Registration completed.
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap4_sect3">Adding the LML Sensor</a></p>
<p>
We will now set up the Log Monitoring Lackey.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>You may realize that there are quite a bit of lines of output "missing" from this example. In fact, the lines of output that are not present in this example go away after the initial <span class="code" dir="ltr">manager-adduser</span></p></td></tr></table>
<a name="doc_chap4_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.5: Setting up the Manager for the LML</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">manager-adduser</span>
Generated one-shot password is "4;%f7%1Y".
This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.
waiting for install request from Prelude sensors...
</pre></td></tr>
</table>
<p>
Again, switch over to another terminal and proceed with the next example.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
We will be using the same methods we used in the NIDS example, so the same comments in red from before apply here, too.
</p></td></tr></table>
<a name="doc_chap4_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.6: Setting up the LML</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">sensor-adduser -s prelude-lml -m 192.168.101 -u 0</span>
Now please start "manager-adduser" on the Manager host where
you wish to add the new user.
Please remember that you should call "sensor-adduser" for each configured
Manager entry.
<span class="code-comment">Hit enter; we have already started manager-adduser.</span>
Press enter when done.
Please use the one-shot password provided by the "manager-adduser" program.
Enter registration one shot password : 4;%f7%1Y
Please confirm one shot password : 4;%f7%1Y
connecting to Manager host (127.0.0.1:5553)... Succeeded.
What keysize do you want [1024] ? 1024
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
Key is valid for [0] : 0
Key length : 1024
Expire : Never
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...............++++++
.++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-lml-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-lml-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-lml@yourbox: 1057887742.
</pre></td></tr>
</table>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>Post Installation</p>
<p class="secthead"><a name="doc_chap5_sect1">Testing the Manager</a></p>
<p>
On the manager box, start the Prelude manager in the foreground.
</p>
<a name="doc_chap5_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.1: Starting the Manager</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">prelude-manager</span>
- Initialized 2 reporting plugins.
- Initialized 1 database plugins.
- Subscribing Prelude NIDS data decoder to active decoding plugins.
- Initialized 1 decoding plugins.
- Initialized 0 filtering plugins.
- Subscribing TextMod to active reporting plugins.
- sensors server started (listening on 127.0.0.1:5554).
</pre></td></tr>
</table>
<p>
Now go ahead and switch over to the sensor box. We will test the communication by using the NIDS sensor.
</p>
<a name="doc_chap5_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.2: Starting the NIDS Sensor</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Remember to change the manager address if it differs from the example.</span>
# <span class="code-input">prelude-nids -i eth0 --manager-addr 127.0.0.1</span>
- Initialized 3 protocols plugins.
- Initialized 5 detections plugins.
- RpcMod subscribed for "rpc" protocol handling.
- TelnetMod subscribed for "telnet" protocol handling.
- HttpMod subscribed for "http" protocol handling.
- Done loading Unicode table (663 Unichars, 0 ignored, 0 with errors)
- ScanDetect subscribed to : "[TCP,UDP]".
- ArpSpoof subscribed to : "[ARP]".
/etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex
/etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex
- Signature engine added 890 and ignored 2 signature.
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
- Initializing packet capture.
</pre></td></tr>
</table>
<p>
Make sure that your output looks relatively the same. Let us make sure that we have the important output displaying correctly.
</p>
<a name="doc_chap5_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.3: Important output from NIDS</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
</pre></td></tr>
</table>
<a name="doc_chap5_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.4: Important output from the manager after we have started NIDS</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
[unix] - accepted connection.
[unix] - plaintext authentication succeed.
[unix] - sensor declared ident 578232824809457160.
</pre></td></tr>
</table>
<p>
If you do not see those two sets of output, make sure that the manager is listening on the right IP and that the manager address is supplied properly for NIDS.
</p>
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>Running and Managing Prelude</p>
<p class="secthead"><a name="doc_chap6_sect1">Starting up the Prelude Daemons</a></p>
<p>
There are several init scripts that control the different parts to Prelude, so we will want to start those up now.
</p>
<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: Starting the Prelude Daemons</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">First, we will start up the manager.</span>
# <span class="code-input">/etc/init.d/prelude-manager start</span>
<span class="code-comment">Next, it is time to start the NIDS</span>
# <span class="code-input">/etc/init.d/prelude-nids start</span>
<span class="code-comment">And finally, we will start up the LML.</span>
# <span class="code-input">/etc/init.d/prelude-lml start</span>
</pre></td></tr>
</table>
<p>
Most likely, you are going to want Prelude and its components to start up when you boot up the computer. In order to achieve this, we will add the necessary components to the default runlevel.
</p>
<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: Adding the Daemons to the Run Level</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">rc-update add prelude-manager default</span>
# <span class="code-input">rc-update add prelude-nids default</span>
# <span class="code-input">rc-update add prelude-lml default</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap6_sect2">Installing PIWI</a></p>
<p>
The first thing we will do to get PIWI working is emerge it.
</p>
<a name="doc_chap6_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.3: Emerging PIWI</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">emerge piwi</span>
</pre></td></tr>
</table>
<p>
We will now follow the instructions that the emerge process gives us
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>Depending on what version of Apache you are running, the following file names may vary. If you are using Apache2, the files will be located in <span class="path" dir="ltr">/etc/apache2/conf</span> and the files will be named differently. Usually, the file names will differ only by a present "2" that is not there in the Apache1 file names. For example, <span class="path" dir="ltr">apache.conf</span> becomes <span class="path" dir="ltr">apache2.conf</span> in Apache2.</p></td></tr></table>
<a name="doc_chap6_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.4: /etc/apache/conf/apache.conf</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">The best place for this line is probably at the end of the file.</span>
Include /etc/piwi/piwi-apache.conf
</pre></td></tr>
</table>
<p>Now we will tell Apache to load the PIWI specific configuration directives. If we were to skip this step, when you go to the location of your website with the PIWI files, the Perl scripts will likely just show up as plain text.</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>If you are already loading other Apache modules, you merely have to add <span class="path" dir="ltr">-D PIWI</span> rather than replacing the whole <span class="path" dir="ltr">APACHE_OPTS</span> line.</p></td></tr></table>
<a name="doc_chap6_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.5: /etc/conf.d/apache</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
APACHE_OPTS="-D PIWI"
</pre></td></tr>
</table>
<p>
Next, we need to edit the PIWI configuration file to match our MySQL database settings that we used for Prelude.
</p>
<a name="doc_chap6_pre6"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.6: /etc/piwi/config.pl</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">Edit the next two lines to suit your setup.</span>
$conf{'dblogin'}='prelude';
$conf{'dbpasswd'}='dbpass';
</pre></td></tr>
</table>
<p>
All that is left to do is start up Apache and check to make sure that the PIWI scripts are being processed correctly.
</p>
<a name="doc_chap6_pre7"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.7: Starting Apache</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
# <span class="code-input">/etc/init.d/apache start</span>
</pre></td></tr>
</table>
<p>
Now point your browswer to <span class="path" dir="ltr">http://yoursite/piwi</span> and you should be greeted by a Web interface.
</p>
<p class="chaphead"><a name="doc_chap7"></a><span class="chapnum">7.
</span>Credits</p>
<p class="secthead"><a name="doc_chap7_sect1">Works Cited</a></p>
<ul><li>Collective Work. PreludeIntrusionDetectionSystem - Gentoo Wiki.</li></ul>
<ul><li>
<a href="mailto:polombo@cartel-securite.fr">Polombo, Daniel</a>. <a href="http://prelude-ids.org/article.php3?id_article=6">Prelude Hybrid IDS</a>.</li></ul>
<br><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="prelude-ids.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Page updated July 17, 2003</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
This guide will assist you in setting up the Prelude Intrustion Detection System along with the rules needed to make it useful.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext"><a href="mailto:zack@tehunlose.com" class="altlink"><b>
Zack Gilburd</b></a>
<br><i>Author</i><br><br>
<a href="mailto:michael.boman@gmail.com" class="altlink"><b>Michael Boman</b></a>
<br><i>Contributors</i><br><br>
<a href="mailto:kzaraska@student.uci.agh.edu.pl" class="altlink"><b>Krzysztof Zaraska</b></a>
<br><i>Contributors</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|