Thursday, October 4, 2012

Simple steps to set up your own Prelude IDS

Here are some simple steps to set up your own prelude IDS. Prelude is a Universal "Security
Information Event Management" (SIEM) system. Prelude collects, archives, normalizes, sorts,
aggregates, correlates and reports all security-related events independently of the product brand or
license giving rise to such events.

Easy steps to create a structure as shown in the figure.

Prerequisites:      Ubuntu server 12.0
                             Any one log monitoring system ( My fav is snort)


Apt-get update
Apt-get upgrade
Apt-get install ntpdate
Apt-get install dbconfig-common
Apt-get install rng-tools (Edit vi /etc/default/rng-tools ->HRNGDEVICE=/dev/urandom)
Apt-get install mysql-server


Apt-get install prelude-manager (vi /etc/default/prelude-manager ->run= yes)
(Edit /etc/prelude-manager/prelude-manager.conf for listen and relaying)
 change the server ip on /etc/prelude/default/client.conf


Apt-get install prelude-correlator
Registration of prelude-correlator:
prelude-admin register prelude-correlator "idmef:w admin:r" *managerhost* --uid 0  --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager


Apt-get install apache2
Apt-get install prewikka (add prewikka file containing following data on /etc/apache2/sites-available)
<VirtualHost *:80>
 Setenv PREWIKKA_CONFIG "/etc/prewikka/prewikka.conf"
<Location "/">
        AllowOverride None
        Options ExecCGI
        <IfModule mod_mime.c>
                AddHandler cgi-script .cgi
        Order allow,deny
        Allow from all
Alias /prewikka/ /usr/share/prewikka/htdocs/ ScriptAlias / /usr/share/prewikka/cgi-bin/prewikka.cgi

 On /usr/bin/prewikka-httpd change port 8000 to 80 and edit /etc/prewikka/prewikka.conf
A2dissite (To disable Prewikka)
A2ensite (To enable Prewikka)
/etc/init.d/apache2 reload
Change the permission of /etc/prewikka/prewikka.conf (chmod 766)


Apt-get install prelude-lml
Check if it’s working f9 by typing prelude-lml
Registration of prelude-lml:
prelude-admin register prelude-lml "idmef:w admin:r" *managerhost* --uid 0  --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager


Prelude-manager --relaying --parent-managers "x.x.x.x"
Edit following on /etc/prelude-manager/prelude-manager.conf
Relaying (uncomment this line)
Parent managers = x.x.x.x

Snort Installation

On snort-test machine:
apt-get install gcc
apt-get install g++
from packages- libgpg-error, libgcrypt, gnutls, pcre
apt-get install libprelude-dev
apt-get install libpreludedb-dev
apt-get install prelude-lml(register prelude-lml)
apt-get install snort
apt-get install snort-mysql
apt-get install snort-rules-default
apt-get install snort-common-libraries
Go to /etc/snort/snort.conf and edit following
Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in
front of this line and that's it.

prelude-adduser register snort "idmef:w" <manager address> --uid snort --gid snort (on snort agent)
prelude-adduser registration-server prelude-manager(On prelude-manager)
snort -c /etc/snort/snort.conf

With this your Prelude set up should be up and running in no time. Cheers!

No comments :

Post a Comment