Gentoo Linux Documentation -- Prelude Intrusion Detection System
1.
About Prelude
Background Information
Prelude was founded and writen by Yoann Vandoorselaere in 1998. Many others have also greatly contributed to it.
Prelude is a hybrid intrustion detection system that will detect and monitor security instrusions, whether they happen in an attack mobilized over the Internet or an attack mobilzed locally. The monitoring work that Prelude does is made possible via an LML (Log Monitoring Lackey). Prelude can also utilize the rulesets from intrusion detection systems such as Snort.
What Are the Components?
-
prelude-manager : The manager is the place where all the main logging is done. When the manager receives a signal from the sensors, it logs the signal so the user can investigate. Logging can either be done to a file or to a datebase such as MySQL. The latter is the recommended solution.
-
prelude-nids : NIDS is a plugin for Prelude and stands for Network Intrusion Detection System. The prelude-nids package should definately be used along side Prelude proper, but is not mandatory. The NIDS package also provides for functionality like that of Snort
-
prelude-lml : The LML stands for Log Monitoring Lackey. Like the NIDS, it is also a sensor. The LML watches your logfiles and looks for anything out of the ordinary. Should abnormalities be found, an alert is sent to the manager.
-
libprelude : libprelude provides for the libraries necessary in order for the manager to be able to talk to the other plugins. It also provides the sensors with extra features.
-
piwi : PIWI stands for Prelude Intrusion (Detection System) Web Interface. The title pretty much describes the said package; it is an interface powered by perl that can help the end user manage their rules and see when attacks are happening or have happened.
2.
Installing Prelude
Emerging the Packages
We will now begin by adding ssl to our make.conf, then emerging each of the packages described above.
Code Listing2.1: /etc/make.conf |
USE="ssl"
|
Code Listing2.2: Starting the Emerges |
# emerge libprelude
# emerge prelude-lml
# emerge prelude-nids
# emerge prelude-manager
# emerge piwi
|
3.
Configuring Prelude
Setting up the Manager
We will now edit the Manager's main configuration file, prelude-manager.conf. Two of the most important settings are for changing where Prelude will listen. For instance, if you have two IPs but only one Prelude to listen on one of them, you would supply the said IP in the configuration.
Code Listing3.1: /etc/prelude-manager/prelude-manager.conf |
# Sensor Server is listening on any IP
sensors-srvr = 0.0.0.0;
# Admin Server is listening on any IP
admin-srvr = 0.0.0.0;
|
Setting up the Database
If you want to set up Prelude to work with its backend being a database like MySQL or PostgreSQL (and believe me, you do), then you will want to continue with this section. If you really and truly would rather use plaintext logging, then you can skip this section.
Important: Your SQL server, whether it be MySQL or PostgreSQL, needs to be running before you proceed. |
Code Listing3.2: Creating the Database |
# /usr/bin/prelude-manager-db-create.sh
Prelude Database Support Installation
=====================================
*** Phase 0/7 ***
Warning: if you want to use database support with prelude
You should dedicate the database for this job only.
So if you ever have a database running for another job
please think about taking it away, because this script
will install prelude as a dedicated database and you
could meet some troubles with your old bases.
Do you want to install a dedicated database for prelude ?
(y)es / (n)o : y
*** Phase 1/7 ***
Enter the type of the database [mysql|pgsql]: mysql
*** Phase 2/7 ***
Enter the name of the host where the database is running [localhost]:
*** Phase 3/7 ***
Enter the port where the database is running [3306]:
*** Phase 4/7 ***
Enter the name of the database that should be created to stock alerts [prelude]:
*** Phase 5/7 ***
This installation script has to connect to your mysql database in order to creat
e a user dedicated to stock prelude's alerts
What is the database administrative user ? [root]:
We need the password of the admin user "root" to log on the database.
By default under mysql, root has an empty password.
Please enter a password:
Please confirm entered password:
*** Phase 6/7 ***
We need to create a database user account that will be used by the Prelude Manag
er in order to access the "prelude" database.
Username to create [prelude] :
We need to set a password for this special "prelude" account.
This password will have to be used by prelude-manager to access the database.
Please enter a password:
Please confirm entered password:
*** Phase 7/7 ***
Please confirm those information before processing :
Database name : prelude
Database admin user: root
Database admin password: (not shown)
prelude owner user: prelude
prelude owner password: (not shown)
Is everything okay ? (yes/no) : yes
Creating the database prelude...
Creating user "prelude" for database "prelude",
using "root" to connect to the database.
Creating tables with /usr/share/prelude-manager/mysql/mysql.sql
-------------- End of Database Support Installation -------------
If it succeeded, you should now be able to launch prelude-manager like that :
==> prelude-manager --mysql --dbhost localhost --dbname prelude --dbuser pre
lude --dbpass xxxxxx
Or you may modify the prelude-manager configuration file (/usr/local/etc/prelude
-manager/prelude-manager.conf by default) in order to launch prelude-manager wit
hout database arguments:
---------- cut here --->
[MySQL]
# Host the database is listening on.
dbhost = localhost;
# Port the database is listening on.
dbport = 3306;
# Name of the database.
dbname = prelude;
# Username to be used to connect the database.
dbuser = prelude;
# Password used to connect the database.
dbpass = xxxxxx;
<--- cut here ----------
Replace xxxxxx by the password you choose for the manager account
-----------------------------------------------------------------
|
NIDS Configuration
Now we just need to set up NIDS so it knows which ethernet device to monitor.
Code Listing3.3: /etc/conf.d/prelude-nids |
OPTIONS="-i eth0"
|
4.
Installing Sensors
Prerequisit Configuration
We will now be setting up the default configuration for the sensors in the /etc/prelude-sensors/sensors-default.conf file. This will be used globally for the sensors. You can edit the below and then place it in the configuration file.
Code Listing4.1: /etc/prelude-sensors/sensors-default.conf |
manager-addr = 192.168.0.1;
node-name = yourbox.yourdomain.com;
node-location = Rack 2, Server 5. Monitoring Network A from an SPAN port on switch 28A;
[Node Adress]
address = 192.168.0.1;
netmask = 255.255.255.0;
|
We will now be adding our sensors to the manager. There are two ways of setting up the manager to talk to the sensors: via an SSL encrypted connection and via an unencrypted connection. The only time when you will want to opt for the latter is when the manager and the sensor are on the same box.
Installing the NIDS Sensor
We will now run the necessary commands to set up the SSL connection.
Code Listing4.2: Setting Up the Encrypted Connection |
# manager-adduser
No Manager key exist... Building Manager private key...
What keysize do you want [1024] ?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
Key is valid for [0] :
Key length : 1024
Expire : Never
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
................++++++
...........................++++++
Writing new private key to '/etc/prelude-manager/prelude-manager.key'.
Adding self signed Certificate to '/etc/prelude-manager/prelude-manager.key'
Generated one-shot password is "p=7f6N7+".
This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.
waiting for install request from Prelude sensors...
|
Now open up another terminal if you have not already done so and proceed to add the sensor user. Right now we will be adding the user for the NIDS component to Prelude.
Important: Remeber that if both the sensor and the manager are running on the same machine, it is important to specify the machines ethernet IP, not 127.0.0.1. If you specify 127.0.0.1, sensor-adduser will default to an unencrypted connection.
However, if you do not want to use SSL, specify the said IP.
|
Code Listing4.3: Adding the Sensor User |
# sensor-adduser -s prelude-nids -m 192.168.1.102 -u 0
Now please start "manager-adduser" on the Manager host where
you wish to add the new user.
Please remember that you should call "sensor-adduser" for each configured
Manager entry.
Press enter when done.
Please use the one-shot password provided by the "manager-adduser" program.
Enter registration one shot password : p=7f6N7+
Please confirm one shot password : p=7f6N7+
connecting to Manager host (127.0.0.1:5553)... Succeeded.
What keysize do you want [1024] ? 1024
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
Key is valid for [0] : 0
Key length : 1024
Expire : Never
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...........++++++
........................................++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-nids-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-nids-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-nids@yourbox: 1057315311.
|
Now switch back to the terminal with manager-adduser running in it. You should see output that resembles that below.
Code Listing4.4: manager-adduser Output |
Connection from 192.168.1.102.
sensor choose to use SSL communication method.
Writing Prelude certificate to /etc/prelude-manager/prelude-sensors.cert
Registration completed.
|
Adding the LML Sensor
We will now set up the Log Monitoring Lackey.
Note: You may realize that there are quite a bit of lines of output "missing" from this example. In fact, the lines of output that are not present in this example go away after the initial manager-adduser |
Code Listing4.5: Setting up the Manager for the LML |
# manager-adduser
Generated one-shot password is "4;%f7%1Y".
This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.
waiting for install request from Prelude sensors...
|
Again, switch over to another terminal and proceed with the next example.
Note:
We will be using the same methods we used in the NIDS example, so the same comments in red from before apply here, too.
|
Code Listing4.6: Setting up the LML |
# sensor-adduser -s prelude-lml -m 192.168.101 -u 0
Now please start "manager-adduser" on the Manager host where
you wish to add the new user.
Please remember that you should call "sensor-adduser" for each configured
Manager entry.
Press enter when done.
Please use the one-shot password provided by the "manager-adduser" program.
Enter registration one shot password : 4;%f7%1Y
Please confirm one shot password : 4;%f7%1Y
connecting to Manager host (127.0.0.1:5553)... Succeeded.
What keysize do you want [1024] ? 1024
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
Key is valid for [0] : 0
Key length : 1024
Expire : Never
Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...............++++++
.++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-lml-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-lml-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-lml@yourbox: 1057887742.
|
5.
Post Installation
Testing the Manager
On the manager box, start the Prelude manager in the foreground.
Code Listing5.1: Starting the Manager |
# prelude-manager
- Initialized 2 reporting plugins.
- Initialized 1 database plugins.
- Subscribing Prelude NIDS data decoder to active decoding plugins.
- Initialized 1 decoding plugins.
- Initialized 0 filtering plugins.
- Subscribing TextMod to active reporting plugins.
- sensors server started (listening on 127.0.0.1:5554).
|
Now go ahead and switch over to the sensor box. We will test the communication by using the NIDS sensor.
Code Listing5.2: Starting the NIDS Sensor |
# prelude-nids -i eth0 --manager-addr 127.0.0.1
- Initialized 3 protocols plugins.
- Initialized 5 detections plugins.
- RpcMod subscribed for "rpc" protocol handling.
- TelnetMod subscribed for "telnet" protocol handling.
- HttpMod subscribed for "http" protocol handling.
- Done loading Unicode table (663 Unichars, 0 ignored, 0 with errors)
- ScanDetect subscribed to : "[TCP,UDP]".
- ArpSpoof subscribed to : "[ARP]".
/etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex
/etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex
- Signature engine added 890 and ignored 2 signature.
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
- Initializing packet capture.
|
Make sure that your output looks relatively the same. Let us make sure that we have the important output displaying correctly.
Code Listing5.3: Important output from NIDS |
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
|
Code Listing5.4: Important output from the manager after we have started NIDS |
[unix] - accepted connection.
[unix] - plaintext authentication succeed.
[unix] - sensor declared ident 578232824809457160.
|
If you do not see those two sets of output, make sure that the manager is listening on the right IP and that the manager address is supplied properly for NIDS.
6.
Running and Managing Prelude
Starting up the Prelude Daemons
There are several init scripts that control the different parts to Prelude, so we will want to start those up now.
Code Listing6.1: Starting the Prelude Daemons |
# /etc/init.d/prelude-manager start
# /etc/init.d/prelude-nids start
# /etc/init.d/prelude-lml start
|
Most likely, you are going to want Prelude and its components to start up when you boot up the computer. In order to achieve this, we will add the necessary components to the default runlevel.
Code Listing6.2: Adding the Daemons to the Run Level |
# rc-update add prelude-manager default
# rc-update add prelude-nids default
# rc-update add prelude-lml default
|
Installing PIWI
The first thing we will do to get PIWI working is emerge it.
Code Listing6.3: Emerging PIWI |
# emerge piwi
|
We will now follow the instructions that the emerge process gives us
Important: Depending on what version of Apache you are running, the following file names may vary. If you are using Apache2, the files will be located in /etc/apache2/conf and the files will be named differently. Usually, the file names will differ only by a present "2" that is not there in the Apache1 file names. For example, apache.conf becomes apache2.conf in Apache2. |
Code Listing6.4: /etc/apache/conf/apache.conf |
Include /etc/piwi/piwi-apache.conf
|
Now we will tell Apache to load the PIWI specific configuration directives. If we were to skip this step, when you go to the location of your website with the PIWI files, the Perl scripts will likely just show up as plain text.
Note: If you are already loading other Apache modules, you merely have to add -D PIWI rather than replacing the whole APACHE_OPTS line. |
Code Listing6.5: /etc/conf.d/apache |
APACHE_OPTS="-D PIWI"
|
Next, we need to edit the PIWI configuration file to match our MySQL database settings that we used for Prelude.
Code Listing6.6: /etc/piwi/config.pl |
$conf{'dblogin'}='prelude';
$conf{'dbpasswd'}='dbpass';
|
All that is left to do is start up Apache and check to make sure that the PIWI scripts are being processed correctly.
Code Listing6.7: Starting Apache |
# /etc/init.d/apache start
|
Now point your browswer to http://yoursite/piwi and you should be greeted by a Web interface.
7.
Credits
Works Cited
- Collective Work. PreludeIntrusionDetectionSystem - Gentoo Wiki.
|
