Prelude was founded and writen by Yoann Vandoorselaere in 1998. Many others have also greatly contributed to it.
Prelude is a hybrid intrustion detection system that will detect and monitor security instrusions, whether they happen in an attack mobilized over the Internet or an attack mobilzed locally. The monitoring work that Prelude does is made possible via an LML (Log Monitoring Lackey). Prelude can also utilize the rulesets from intrusion detection systems such as Snort.
We will now begin by adding
You do not have to delete other entries from your USE, just add ssl. USE="ssl"
Emerging the libraries. # emerge libpreludeNow for the log lackey. # emerge prelude-lmlInstalling the Network Intrustion Detection System # emerge prelude-nidsNow for the most important component: The manager. # emerge prelude-managerLastly, we will install PIWI. # emerge piwi
We will now edit the Manager's main configuration file,
# Sensor Server is listening on any IP sensors-srvr = 0.0.0.0; # Admin Server is listening on any IP admin-srvr = 0.0.0.0;
If you want to set up Prelude to work with its backend being a database like MySQL or PostgreSQL (and believe me, you do), then you will want to continue with this section. If you really and truly would rather use plaintext logging, then you can skip this section.
# /usr/bin/prelude-manager-db-create.sh Prelude Database Support Installation ===================================== *** Phase 0/7 *** Warning: if you want to use database support with prelude You should dedicate the database for this job only. So if you ever have a database running for another job please think about taking it away, because this script will install prelude as a dedicated database and you could meet some troubles with your old bases.Since we want database support, we are going to say "y" here. Do you want to install a dedicated database for prelude ? (y)es / (n)o : y *** Phase 1/7 ***Here you can either chose to have your database be MySQL (mysql) or PostgreSQL (pgsql). I'll be choosing MySQL. Enter the type of the database [mysql|pgsql]: mysql *** Phase 2/7 ***Unless you are going to be running the MySQL server on a different box than Prelude, just hit ENTER here to choose "localhost". Enter the name of the host where the database is running [localhost]: *** Phase 3/7 ***3306 is the default port for MySQL, so unless you plan on running the MySQL daemon on a different port, then just hit ENTER here. Enter the port where the database is running [3306]: *** Phase 4/7 ***Hit ENTER here to have the database that stores all the information that Prelude keeps track of be named "prelude". Enter the name of the database that should be created to stock alerts [prelude]: *** Phase 5/7 ***You can go ahead and hit ENTER here unless you have your MySQL super-user set up under a different name. This installation script has to connect to your mysql database in order to creat e a user dedicated to stock prelude's alerts What is the database administrative user ? [root]: We need the password of the admin user "root" to log on the database. By default under mysql, root has an empty password. Please enter a password: Please confirm entered password: *** Phase 6/7 *** We need to create a database user account that will be used by the Prelude Manag er in order to access the "prelude" database. Username to create [prelude] : We need to set a password for this special "prelude" account. This password will have to be used by prelude-manager to access the database. Please enter a password: Please confirm entered password: *** Phase 7/7 *** Please confirm those information before processing : Database name : prelude Database admin user: root Database admin password: (not shown) prelude owner user: prelude prelude owner password: (not shown) Is everything okay ? (yes/no) : yes Creating the database prelude... Creating user "prelude" for database "prelude", using "root" to connect to the database. Creating tables with /usr/share/prelude-manager/mysql/mysql.sql -------------- End of Database Support Installation ------------- If it succeeded, you should now be able to launch prelude-manager like that : ==> prelude-manager --mysql --dbhost localhost --dbname prelude --dbuser pre lude --dbpass xxxxxx Or you may modify the prelude-manager configuration file (/usr/local/etc/prelude -manager/prelude-manager.conf by default) in order to launch prelude-manager wit hout database arguments: ---------- cut here ---> [MySQL] # Host the database is listening on. dbhost = localhost; # Port the database is listening on. dbport = 3306; # Name of the database. dbname = prelude; # Username to be used to connect the database. dbuser = prelude; # Password used to connect the database. dbpass = xxxxxx; <--- cut here ---------- Replace xxxxxx by the password you choose for the manager account -----------------------------------------------------------------
Now we just need to set up NIDS so it knows which ethernet device to monitor.
Change eth0 to match the ethernet device to be monitored. OPTIONS="-i eth0"
We will now be setting up the default configuration for the sensors in the
# Replace this with the IP of the manager. manager-addr = 192.168.0.1;# Here you will want to fill in your full hostname. node-name = yourbox.yourdomain.com;# This is just a plaintext descriptor. You can put almost anything here. node-location = Rack 2, Server 5. Monitoring Network A from an SPAN port on switch 28A; [Node Adress]# The IP address of the box Prelude is being set up on. address = 192.168.0.1;# The netmask for the box. netmask = 255.255.255.0;
We will now be adding our sensors to the manager. There are two ways of setting up the manager to talk to the sensors: via an SSL encrypted connection and via an unencrypted connection. The only time when you will want to opt for the latter is when the manager and the sensor are on the same box.
We will now run the necessary commands to set up the SSL connection.
# manager-adduser No Manager key exist... Building Manager private key...How many bits should the encryption be? I would recommend just hitting ENTER here. What keysize do you want [1024] ? Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n daysHere you can hit ENTER again to select a key that does not expire. Key is valid for [0] : Key length : 1024 Expire : NeverGranted everything is okay, type in "yes" and hit enter. Is this okay [yes/no] : yes Generating a 1024 bit RSA private key... ................++++++ ...........................++++++ Writing new private key to '/etc/prelude-manager/prelude-manager.key'. Adding self signed Certificate to '/etc/prelude-manager/prelude-manager.key'This password is VERY important. Do NOT lose it until you've completed the sensor-adduser. Generated one-shot password is "p=7f6N7+". This password will be requested by "sensor-adduser" in order to connect. Please remove the first and last quote from this password before using it. waiting for install request from Prelude sensors...Do not close this terminal! Leave it open an open another session to continue the guide.
Now open up another terminal if you have not already done so and proceed to add the sensor user. Right now we will be adding the user for the NIDS component to Prelude.
You will want to change "192.168.1.102" if the manager is on a different IP. # sensor-adduser -s prelude-nids -m 192.168.1.102 -u 0 Now please start "manager-adduser" on the Manager host where you wish to add the new user. Please remember that you should call "sensor-adduser" for each configured Manager entry.We have already done this; hit ENTER. Press enter when done. Please use the one-shot password provided by the "manager-adduser" program.Enter that password that I talked about above. I hope you did not lose it ;). Also, be aware that while I am going to fill in the fields here, the password will not echo back to you. Enter registration one shot password : p=7f6N7+ Please confirm one shot password : p=7f6N7+If you do not see that the connection suceeded then you closed the terminal that I told you not to. Remove /etc/prelude-manager/prelude-manager.key and start again with manager-adduser. connecting to Manager host (127.0.0.1:5553)... Succeeded. What keysize do you want [1024] ? 1024 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days Key is valid for [0] : 0 Key length : 1024 Expire : Never Is this okay [yes/no] : yes Generating a 1024 bit RSA private key... ...........++++++ ........................................++++++ Writing new private key to '/etc/prelude-sensors/ssl/prelude-nids-key.0'. Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-nids-key.0' writing Prelude Manager certificate. Using already allocated ident for prelude-nids@yourbox: 1057315311.
Now switch back to the terminal with manager-adduser running in it. You should see output that resembles that below.
Connection from 192.168.1.102. sensor choose to use SSL communication method. Writing Prelude certificate to /etc/prelude-manager/prelude-sensors.cert Registration completed.
We will now set up the Log Monitoring Lackey.
# manager-adduser Generated one-shot password is "4;%f7%1Y". This password will be requested by "sensor-adduser" in order to connect. Please remove the first and last quote from this password before using it. waiting for install request from Prelude sensors...
Again, switch over to another terminal and proceed with the next example.
# sensor-adduser -s prelude-lml -m 192.168.101 -u 0 Now please start "manager-adduser" on the Manager host where you wish to add the new user. Please remember that you should call "sensor-adduser" for each configured Manager entry.Hit enter; we have already started manager-adduser. Press enter when done. Please use the one-shot password provided by the "manager-adduser" program. Enter registration one shot password : 4;%f7%1Y Please confirm one shot password : 4;%f7%1Y connecting to Manager host (127.0.0.1:5553)... Succeeded. What keysize do you want [1024] ? 1024 Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days Key is valid for [0] : 0 Key length : 1024 Expire : Never Is this okay [yes/no] : yes Generating a 1024 bit RSA private key... ...............++++++ .++++++ Writing new private key to '/etc/prelude-sensors/ssl/prelude-lml-key.0'. Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-lml-key.0' writing Prelude Manager certificate. Using already allocated ident for prelude-lml@yourbox: 1057887742.
On the manager box, start the Prelude manager in the foreground.
# prelude-manager - Initialized 2 reporting plugins. - Initialized 1 database plugins. - Subscribing Prelude NIDS data decoder to active decoding plugins. - Initialized 1 decoding plugins. - Initialized 0 filtering plugins. - Subscribing TextMod to active reporting plugins. - sensors server started (listening on 127.0.0.1:5554).
Now go ahead and switch over to the sensor box. We will test the communication by using the NIDS sensor.
Remember to change the manager address if it differs from the example. # prelude-nids -i eth0 --manager-addr 127.0.0.1 - Initialized 3 protocols plugins. - Initialized 5 detections plugins. - RpcMod subscribed for "rpc" protocol handling. - TelnetMod subscribed for "telnet" protocol handling. - HttpMod subscribed for "http" protocol handling. - Done loading Unicode table (663 Unichars, 0 ignored, 0 with errors) - ScanDetect subscribed to : "[TCP,UDP]". - ArpSpoof subscribed to : "[ARP]". /etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex /etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex - Signature engine added 890 and ignored 2 signature. - Connecting to Unix prelude Manager server. - Plaintext authentication succeed with Prelude Manager. - Initializing packet capture.
Make sure that your output looks relatively the same. Let us make sure that we have the important output displaying correctly.
- Connecting to Unix prelude Manager server. - Plaintext authentication succeed with Prelude Manager.
[unix] - accepted connection. [unix] - plaintext authentication succeed. [unix] - sensor declared ident 578232824809457160.
If you do not see those two sets of output, make sure that the manager is listening on the right IP and that the manager address is supplied properly for NIDS.
There are several init scripts that control the different parts to Prelude, so we will want to start those up now.
First, we will start up the manager. # /etc/init.d/prelude-manager startNext, it is time to start the NIDS # /etc/init.d/prelude-nids startAnd finally, we will start up the LML. # /etc/init.d/prelude-lml start
Most likely, you are going to want Prelude and its components to start up when you boot up the computer. In order to achieve this, we will add the necessary components to the default runlevel.
# rc-update add prelude-manager default # rc-update add prelude-nids default # rc-update add prelude-lml default
The first thing we will do to get PIWI working is emerge it.
# emerge piwi
We will now follow the instructions that the emerge process gives us
The best place for this line is probably at the end of the file. Include /etc/piwi/piwi-apache.conf
Now we will tell Apache to load the PIWI specific configuration directives. If we were to skip this step, when you go to the location of your website with the PIWI files, the Perl scripts will likely just show up as plain text.
APACHE_OPTS="-D PIWI"
Next, we need to edit the PIWI configuration file to match our MySQL database settings that we used for Prelude.
Edit the next two lines to suit your setup. $conf{'dblogin'}='prelude'; $conf{'dbpasswd'}='dbpass';
All that is left to do is start up Apache and check to make sure that the PIWI scripts are being processed correctly.
# /etc/init.d/apache start
Now point your browswer to