%% LyX 1.4.2 created this file. For more info, see http://www.lyx.org/. %% Do not edit unless you really know what you are doing. \section{Requirements } \subsection{Installation Requirements } Here we will cover the various packages needed to get Prelude installed and working on your {*}nix system. Each dependency page explains where to get the package and how to install it. Along with other means of installation using yum, apt-get, ports, etc. \subsubsection{GnuTLS } \subsubsection*{Installing from Source} \paragraph*{Download Packages} \begin{itemize} \item libgpg-error \item libgcrypt \item gnutls \end{itemize} You will want to install the above packages in the same order to prevent dependency issues when configuring. \paragraph*{Installing} First expand the package: \begin{lyxcode} tar~-xvzf~libgpg-error-1.0.tar.gz \end{lyxcode} Then: \begin{lyxcode} cd~libgpg-error-1.0 \end{lyxcode} Now configure, make, and install: \begin{lyxcode} ./configure~\&\&~make~\&\&~make~install \end{lyxcode} Now follow the above steps but with the the other two package names. \subsubsection*{Other Installation Means} Yum users: \begin{lyxcode} yum~install~gnutls~gnutls-devel \end{lyxcode} Apt-Get Users: \begin{lyxcode} apt-get~install~gnutls~gnutls-devel~(some~distros~it~is~gnutls-dev) \end{lyxcode} (Please note that many apt-get archives have too old a version of gnutls prior to the version required for Prelude) Ports Users: Depending on your OS the same issue may apply as with the users of Apt-Get. The verion in your ports tree may be too old to fit the requirements of Prelude. It is best to just install gnutls from source if at all possible. \subsubsection*{Troubleshooting} \begin{itemize} \item You have an error when making libgpg-error on a NetBSD 2.0 machine with the default awk. \end{itemize} \begin{lyxcode} >~make~{[}...]~gcc~-E~\_mkerrcodes.h~|~grep~GPG\_ERR\_~|~ awk~-f~./mkerrcodes.awk~>mkerrcodes.h~\_mkerrcodes.h:57:8:~ no~macro~name~given~in~\#ifdef~directive~\_mkerrcodes.h:60:8:~ no~macro~name~given~in~\#ifdef~directive~{[}...]~ In~file~included~from~mkerrcodes.c:26:~ mkerrcodes.h:3:~error:~parse~error~before~'\}'~token~{[}...] To~remedy~this~issue~you~should~install~gawk (http://ftp.gnu.org/gnu/gawk/)~and~run~again: ./configure~\&\&~make~\&\&~make~install \end{lyxcode} \begin{itemize} \item It is known that with gnutls-1.2.4 when configuring on an OpenBSD 3.6 machine it will error out when trying to configure OpenPGP support. \end{itemize} To remedy this issue run configure with the additional option of: \begin{lyxcode} ./configure~-{}-disable-openpgp-authentication \end{lyxcode} \begin{itemize} \item You have an error on the libgnutls version it is too old : you should install the new library (http://www.gnupg.org). \item Your have an error after installing gnutls, the version from the config file is 1.0.xx but the library used is 1.0.yy : \end{itemize} \begin{lyxcode} =>~this~is~a~library~link~mistake~you~should~try~as~root >updatedb~ >locate~libgnutls.so.1.0.yy~it~will~show~you~where~the~file~is~for example~''/usr/local/lib''~and~then~you~can~do~: >ldconfig~/usr/local/lib Retry~to~./configure~libprelude.~ \end{lyxcode} \subsubsection{Python} \paragraph*{Download Package} \begin{itemize} \item Python \end{itemize} \paragraph*{Installing} First expand the package \begin{lyxcode} \#~tar~-xvf~python.version.tar.bz2 \end{lyxcode} Then, go in the directory you just extracted the files in (within a terminal, and of course, as root) type the command (==\textgreater{}you should read the README file since it might contain switches that are environment-critical ) : \begin{lyxcode} \#~./configure \end{lyxcode} As the lines stops scrolling at incredible speed to let you enter yet another command, type in (it's a bit long this time) : \begin{lyxcode} \#~make \end{lyxcode} and to install Python in /usr/local enter this : \begin{lyxcode} \#~make~install \end{lyxcode} Python is installed!!! \subsubsection{PCRE} describe PCREInstall here please Well, under CentOS (and others that support this command), just do a \begin{lyxcode} \#~yum~install~pcre \end{lyxcode} and it will install it by itself (for other distributions I don't know how thought..) you can download it from : http://www.pcre.org/ For FreeBSD or OpenBSD \begin{lyxcode} \#~cd~/usr/port/devel/pcre~\&\&~make~install \end{lyxcode} For RedHat? ES 3 and 4 \begin{lyxcode} \#~up2date~pcre;up2date~pcre-devel~ \end{lyxcode} \subsubsection{MySQL} Start by adding a user: \begin{lyxcode} >groupadd~mysql~>useradd~-g~mysql~mysql Creation~of~folders: >cd~/usr/local~>mkdir~mysql~>chown~mysql~mysql/~>chgrp~mysql~mysql/ >su~-~mysql~>cd~/usr/local/mysql >mkdir~data~tmp~var \end{lyxcode} Then: \begin{lyxcode} >tar~-zxvf~mysql-4.1.11.tar.gz~ >move~mysql-4.1.11.tar.gz~source~ >cd~source~ >./configure~-{}-localstatedir=/usr/local/mysql/data -{}-with-unix-socket-path=/usr/local/mysql/tmp/mysql.sock \end{lyxcode} Compilation: \begin{lyxcode} >make~ >make~test~(optional)~ >make~install Change~folders~right~(just~to~be~sure): >chown~-R~mysql~/usr/local/mysql~ >chgrp~-R~mysql~/usr/local/mysql >chmod~700~/usr/local/mysql/data~ >chmod~700~/usr/local/mysql/var~ >chmod~755~/usr/local/mysql/tmp \end{lyxcode} Launch the mysql init script: \begin{lyxcode} >scripts/mysql\_install\_db~ >chown~-R~mysql.mysql~/usr/local/mysql Check~if~everything~is~all~right: >/usr/local/mysql/bin/mysqld\_safe~-user=mysql~\&~ >/usr/local/mysql/bin/mysqladmin~-u~root~password~~ >/usr/local/mysql/bin/mysqladmin~-p~status~ >/usr/local/mysql/bin/mysqladmin~-p~shutdown \end{lyxcode} \paragraph*{In order to launch mysql automatically there are various methods:} In the directory where MySQL is uncompressed: \begin{lyxcode} cp~support-files/mysql.server~/usr/local/sbin \end{lyxcode} Then modify /etc/rc .d/rc.local and add: \begin{lyxcode} /usr/local/sbin/mysql.server~start~ chmod~744~/usr/local/sbin/mysql.server \end{lyxcode} Install help in French can be found: http://www.interpc.fr/mapage/billaud/apmysphp.htm \subsubsection{PostgreSQL } Required Packages \begin{itemize} \item Postgresql \item Postgresql-dev \end{itemize} \section{Installation } \subsection{Installing the Prelude framework} Prelude IDS can be downloaded from the official website: http://www.prelude-ids.org. \subsubsection{Installing the Prelude Library} This section explains how to install the Prelude library libprelude from the tarball available from the Prelude website. However, libprelude might be included with your distribution as a package and it would be easier to install it this way. \paragraph*{Resolve Dependencies} Ensure that you have GNUTLS installed. In Fedora Core, the gnutls package is crippled. For Fedora Core users, they will need to download and build gnutls from source. Instructions on installing gnutls can be found at https://trac.prelude-ids.org/wiki/GnuTLSInstall Please be more specific: How is it crippled, in what versions, how will I know when their package is fixed? \paragraph*{Get the sources} Download the Prelude library at http://www.prelude-ids.org/download/releases/libprelude-latest.tar.gz \paragraph*{Compile} In order to compile libprelude, please follow the following instructions: \begin{lyxcode} as~a~user:~ ~~\$~./configure~ \end{lyxcode} Note that the output should look like: \begin{lyxcode} {*}{*}{*}~Dumping~configuration~{*}{*}{*}~ ~~-~Generate~documentation~:~yes~ ~~-~Perl~binding~:~yes~ ~~-~Python~binding~:~yes \end{lyxcode} In order to generate documentation, you need to use the --enable-gtk-doc command line switch. If no languages bindings are activated, you will be unable to run sensors in the specified language. Note that Prewikka require Python bindings to be installed. \begin{lyxcode} \$~make \end{lyxcode} \paragraph*{Install } \begin{lyxcode} as~root:~ ~~\#~make~install~ ~~\#~ldconfig \end{lyxcode} Now you have succesfully installed libprelude. You can check the version installed by executing: \begin{lyxcode} \$~libprelude-config~-{}-version~ 0.9.3~ \end{lyxcode} \subsubsection{Installing the Prelude DB Library} This section explains how to install libpreludedb from the tarball available from the main website. However, libpreludedb might be included with your distribution as a package and it would be easier to install it this way. \paragraph*{Get the sources} Download the file http://prelude-ids.org/download/releases/libpreludedb-latest.tar.gz \paragraph*{Compile} Then, compile and install the library using the following: \begin{lyxcode} as~a~user:~ ~~\$~./configure~ \end{lyxcode} Note that the output should look like: \begin{lyxcode} {*}{*}{*}~Dumping~configuration~{*}{*}{*}~ ~~-~Generate~documentation~:~yes~ ~~-~Enable~MySQL~plugin~:~yes~ ~~-~Enable~PostgreSQL~plugin~:~no~ ~~-~Perl~binding~:~yes~ ~~-~Python~binding~:~yes \end{lyxcode} Because the PostgreSQL development files are not available on this system only MySQL was selected (in this case, mysql-devel package is already installed in the system). If you have neither the MySQL and PostgreSQL plugin selected, you will not be able to use a frontend such as Prewikka. Note that Prewikka require Python bindings to be installed. \begin{lyxcode} \$~make \end{lyxcode} \paragraph*{Install} \begin{lyxcode} as~root:~ ~~\#~make~install~ ~~\#~ldconfig \end{lyxcode} Now you have succesfully installed libpreludedb. You can check the version installed by executing: \begin{lyxcode} \$~libpreludedb-config~-{}-version~ 0.9.0 \end{lyxcode} \paragraph*{Create Database} Once you have installed libpreludedb, the next step is to create a database that will be used by prelude-manager to store the IDMEF alerts gathered from your sensors. Two databases are currently supported by libpreludedb: MySQL and PostgreSQL. \paragraph*{MySQL} \subparagraph{Database creation} Connect to your database server using the mysql client like this: \begin{lyxcode} \$~mysql~-u~root~-p~ Enter~password: \end{lyxcode} where \char`\"{}root\char`\"{} is the name of the database administrator (this is the default account on mysql) and -p will prompt you for a password (by default the root account has no password on mysql and is only accessible from localhost). Then, if everything is ok, you should see something like this: \begin{lyxcode} Welcome~to~the~MySQL~monitor.~Commands~end~with~;~or~\textbackslash{}g.~ Your~MySQL~connection~id~is~303~to~server~version:~4.0.22-log Type~'help;'~or~'\textbackslash{}h'~for~help.~ Type~'\textbackslash{}c'~to~clear~the~buffer. mysql> \end{lyxcode} To create a new database named 'prelude' (for example): \begin{lyxcode} mysql>~CREATE~database~prelude;~ Query~OK,~1~row~affected~(0.05~sec) \end{lyxcode} \subparagraph*{Create a dedicated user to access the database (optional)} You might want to access your database through a dedicated user (if you don't have already one). If you want to create a new user called 'prelude' with the password 'passwd' that we will have full access on a database called 'prelude' but only from localhost, use the following query: \begin{lyxcode} GRANT~ALL~PRIVILEGES~ON~prelude.{*}~TO~prelude@'localhost'~ IDENTIFIED~BY~'passwd'; \end{lyxcode} \subparagraph*{Tables creation} The final step (supposing you have libpreludedb installed in /usr): \begin{lyxcode} \$~mysql~-u~prelude~prelude~-p~< /usr/local/share/libpreludedb/classic/mysql.sql~ Enter~password: \end{lyxcode} Enter your password, and the tables will be created. For more details about MySQL databases/tables/users creation, please refer to http://dev.mysql.com/doc/mysql/en/tutorial.html Updating tablesIf you already have created your tables but that a new libpreludedb version comes with an updated schema, you must update your schema this way, supposing that your current version of schema is 14 and the new one is 14.1: \begin{lyxcode} \$~mysql~-u~prelude~prelude~-p~< /usr/share/libpreludedb/classic/mysql-update-14-1.sql~ Enter~password: \end{lyxcode} \paragraph*{PostgreSQL} Database creation Connect to your database server using the psql client like this: \begin{lyxcode} \$~PGPASSWORD=your\_password~psql~-U~postgres \end{lyxcode} where \char`\"{}postgres\char`\"{} is the name of the database administrator (this is the default account on postgresql) and the PGPASSWORD environnement variable is set to the correct password. Then, if everything is ok, you should see something like this: \begin{lyxcode} Welcome~to~psql~7.3.4,~the~PostgreSQL~interactive~terminal. Type:~\textbackslash{}copyright~for~distribution~terms~ ~~~~~~\textbackslash{}h~for~help~with~SQL~commands~ ~~~~~~\textbackslash{}?~for~help~on~internal~slash~commands~ ~~~~~~\textbackslash{}g~or~terminate~with~semicolon~to~execute~query~ ~~~~~~\textbackslash{}q~to~quit postgres=\#~ \end{lyxcode} To create a new database named 'prelude' (for example): \begin{lyxcode} postgres=\#~CREATE~database~prelude;~CREATE~DATABASE \end{lyxcode} \subparagraph*{Create a dedicated user to access the database (optional)} You might want to access your database through a dedicated user (if you don't have already one). If you want to create a new user called 'prelude' with the password 'prelude' that we will have full access on a database called 'prelude', use the following query: \begin{lyxcode} CREATE~USER~prelude~WITH~ENCRYPTED~PASSWORD~'prelude'~ NOCREATEDB~NOCREATEUSER; \end{lyxcode} \subparagraph*{Tables creation} The final step (supposing you have libpreludedb installed in /usr): \begin{lyxcode} \$~psql~-U~prelude~-d~prelude~-W~-f /usr/share/libpreludedb/classic/pgsql.sql \end{lyxcode} For more details about PostgreSQL databases/tables/users creation, please refer to http://www.postgresql.org/docs/8.0/interactive/index.html \subparagraph*{Updating tables} If you already have created your tables but that a new libpreludedb version comes with an updated schema, you must update your schema this way, supposing that your current version of schema is 14 and the new one is 14.1: \begin{lyxcode} \$~PGPASSWORD=prelude~psql~-U~prelude~-d~prelude~< /usr/share/libpreludedb/classic/pgsql-update-14-1.sql Enter~password: \end{lyxcode} \paragraph*{SQLite3 } SQLite is a very good choice if you don't expect lots of data to store. It is a convenient format that doesn't imply database user/password access, since it is a simple file in your system. You have to make sure no unprivileged users have read access to this file. \subparagraph*{Database ans tables creation} Once you have installed libpreludedb, simply run: As root \begin{lyxcode} \#~mkdir~/usr/local/etc/prelude-db~ \#~chown~-R~prelude:prelude~/usr/local/etc/prelude-db~ \#~su~prelude \end{lyxcode} If /usr/local/ is your installation prefix. As prelude \begin{lyxcode} \$~chmod~700~/usr/local/etc/prelude-db~ \$~sqlite3~/usr/local/etc/prelude-db/prelude-sqlite-IDMEF-classic.sql~< /usr/local/share/libpreludedb/classic/sqlite.sql \end{lyxcode} \subparagraph*{Access to database configuration} Then, in your prelude manager configuration file, access to sqlite3 dabatase should be configured like this: \begin{lyxcode} {[}db] type~=~sqlite3~ file~=~/usr/local/etc/prelude-db/prelude-sqlite-IDMEF-classic-14-5.sql~ \end{lyxcode} \subsubsection{Installing the Prelude Manager } This section explains how to install prelude-manager from the tarball available from the main website. However, prelude-manager might be included with your distribution as a package and it would be easier to install it this way. \paragraph*{Get the sources} Download the file http://www.prelude-ids.org/download/releases/prelude-manager-latest.tar.gz \paragraph*{Optional Dependencies} \begin{itemize} \item The database plugin require libpreludedb. \item The XML plugin require libxml2. \end{itemize} \paragraph*{Compile} Then, compile and install the library using the following: as a user: \begin{lyxcode} \$~./configure~ \end{lyxcode} Note that the output should look like: \begin{lyxcode} {*}{*}{*}~Dumping~configuration~{*}{*}{*}~ ~~-~Enable~Xml~plugin~:~yes~ ~~-~Enable~database~support:~yes \$~make \end{lyxcode} \paragraph{Install} as root: \begin{lyxcode} \#~make~install \end{lyxcode} \paragraph*{Create the Prelude-Manager database} If you want to use database reporting, then you must setup the database. Install and setup libprelude-db as indicated in InstallingLibpreludedb. Then, edit the Prelude Manager configuration file (usually located in /etc/prelude-manager/prelude-manager.conf, FreeBSD users will find it under usr/local/etc/prelude-manager/prelude-manager.conf-dist and have to delete the trailing -dist) to match your previously setup database. I.e., look for the {[}db] section and provide the name of and location of the SQL database here. You should now be able to run the manager with \begin{lyxcode} \#~prelude-manager \end{lyxcode} \subsubsection{OS Specific Install Notes } ... \subsection{Installing Sensors} \subsubsection{Prelude-LML - the Prelude log analyzer} This section explains how to install PreludeLML from the tarball available from the main website. However, PreludeLML might be included with your distribution as a package and it would be easier to install it this way. \paragraph*{Get the sources} Download the file http://www.prelude-ids.org/download/releases/prelude-lml-latest.tar.gz Then, compile and install the PreludeLML using the following: \begin{lyxcode} \$~./configure~ \end{lyxcode} The output of the configure should be something like: \begin{lyxcode} {*}{*}{*}~Dumping~configuration~{*}{*}{*}~ ~~-~Enable~FAM~support~:~yes~ ~~-~Generate~documentation~:~no \end{lyxcode} FAM support is a file change notification daemon. If you don't have the FAM support, PreludeLML will poll monitored files regularly. \begin{lyxcode} \$~make~\#~make~install \end{lyxcode} \paragraph*{Register the sensor} \begin{lyxcode} \#~prelude-admin~register~prelude-lml~\char`\"{}idmef:w~admin:r\char`\"{}~ \end{lyxcode} For more details, please follow the instructions given in the Registering a sensor section. \paragraph*{Test your installation} An easy way to try your installation is to simulate a malicious activity matching a detection ruleset. Look into the file /usr/local/etc/prelude-lml/prelude-lml.conf which rulesets are loaded. You can add rulesets here from the directory /usr/local/etc/prelude-lml/ruleset . Here, we will try the ssh ruleset, especially the following signature (this is an excerpt from the file ssh.rules): \begin{lyxcode} regex=Failed~(\textbackslash{}S+)~for~root~from~(.+)~port~(\textbackslash{}d+)\textbackslash{}s{*}(ssh2)?;~\textbackslash{}~ classification.text=SSH~Remote~root~login~failed;~\textbackslash{} {[}rest~of~the~rule~removed~for~readability] \end{lyxcode} You can see here one of the pattern that PreludeLML will try to match against the received log entry. This specific entry is usually generated by ssh in case of a root login failure. You have to add the line \begin{lyxcode} file~=~/var/log/auth.log \end{lyxcode} to /usr/local/etc/prelude-lml/prelude-lml.conf, so that PreludeLML knows which file it should monitor in order to capture the failed login. Run PreludeLML in a root shell with the command \begin{lyxcode} \#~prelude-lml \end{lyxcode} and also run an instance of the prelude-manager in another root shell. Set the prelude-manager to text output, if you want to check the result in the /var/log/prelude.log. Running PreludeLML and the prelude-manager should give confirmation messages that the communication between the two is set up correctly. Let's try it: \begin{lyxcode} \$~ssh~root@~ Password:~{[}type~whatever~is~not~the~appropriate~password~for~the~root~user] \end{lyxcode} Of course, replace \textless{}prelude-lml sensor address\textgreater{} by the address of the machine the sensor is installed in. For instance, if you have installed the sensor on your local machine this would be \begin{lyxcode} \$~ssh~root@localhost \end{lyxcode} The alert should be reported to the PreludeManager collector, and should be readily available from the Prelude frontend. If you have directed your output to a text file like /var/log/prelude.log, and the alert was conducted correctly, you will see something like this: \begin{lyxcode} {*}{*}{*}~Target~information~{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}~ {*}~Target~decoy:~unknown~ {*}~Node{[}unknown]:~name:HOSTNAME~ {*}~Addr{[}ipv4-addr]:~127.0.1.1~ {*}~Service:~iana\_protocol\_number=6~iana\_protocol\_name=tcp~port=22~(ssh)~ {*}~Process:~pid=31095~name=sshd~ {*}~os-device~user:~ {*}~name=root~type=target-user~ {*}~{*}{*}{*}~Additional~data~within~the~alert{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}~ {*}~Authentication~method:~password~ {*}~Log~received~from:~/var/log/auth.log~ {*}~Original~Log:~Mar~7~16:54:04~HOSTNAME~sshd{[}31095]:~ {*}~Failed~password~for~root~from~127.0.0.~1~port~59166~ssh2~ {*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*}{*} \end{lyxcode} \subsubsection{3rd Party Sensors } \begin{itemize} \item libsafe - middleware that intercepts all function calls made to library functions to prevent buffer overflows and format string vulnerabilities from being exploited. \item Nepenthes? - Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities. \item NuFW? - NuFW lays on Netfilter, the state of the art IP filtering layer from the Linux kernel. It fully integrates with Netfilter and Iptables and adds authentication capabilities. \item Samhain - the file integrity checker \item InstallingSancp? Sancp] - designed to collect statistical information regarding network traffic, as well as, collect the traffic itself in pcap format, all for the purpose of: auditing, historical analysis, and network activity discovery. \item Shadow IDS? - is the result of a project that was originally called the Cooperative Intrusion Detection Evaluation and Response (CIDER) project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS community and other interested parties to locate, document, and improve security software. \item Snort - defacto standard open source intrusion detection system with full Prelude support. \end{itemize} \subsection{Registering a sensor} \emph{As of libprelude 0.9.15, prelude-adduser is deprecated. Please now use prelude-admin, as specified in the documentation.} In order for a sensor to communicate with a 'prelude-manager', it needs to be registered. Registration involves several steps: \begin{itemize} \item Allocating an unique identity for the sensor \item Creating directory to be used by the sensor (example: failover purpose) \item Registering to a remote 'prelude-manager': get a signed X509 certificate that will allows communication between sensor and manager using the specified permissions. \end{itemize} All these informations are stored in a sensor 'profile'. A sensor profile is identified by its name. When a sensor is started, it will try to load a profile of the same name as the program itself, that is, if your sensor is named \char`\"{}prelude-lml\char`\"{}, the sensor will try to load a profile named \char`\"{}prelude-lml\char`\"{}. The name of the profile can be overriden using the '--prelude --profile name\_of\_my\_profile' command line option. We provide the ability of defining the profile name so that you can have several instances of one sensor running with different permissions, which require different profiles. Note that profile are not specific to sensor, but are used in all programs of the Prelude suite (sensors, managers, etc). The registration process is driven by a single tool called prelude-admin. \begin{lyxcode} \$~prelude-admin~register~~ ~-{}-uid~~-{}-gid~ \end{lyxcode} Replace \textless{}profile name\textgreater{} with the name of the sensor you are installing, or with your own defined name if you want more advanced sensor profile control. If you start your sensor without it being registered, it should show you a warning including the default profile name on how to register the sensor. Remember to use the correct uid/gid when registering your sensor. For instance, if you want to register snort (running with snort euid / egid), use --uid snort --gid snort. If the sensor process cannot read libprelude information (key, cert...), it won't work. Replace \textless{}requested permission\textgreater{} with the permission your sensor needs. There are several kind of permission: \begin{itemize} \item idmef \item admin \end{itemize} Both type can take permission r (read) and w (write). Usually, a sensor will need permission for writing IDMEF to a manager, and reading administrative command sent to it. That is : \char`\"{}idmef:w admin:r\char`\"{}. If you are not sure which permission your sensor should get, just start the sensor, which should then provide you with the prelude-admin options to use for registering it. You should replace the \textless{}manager address\textgreater{} argument by the address where the prelude-manager you wish to register to is running, this can either be its IP address or its hostname name. Typically, if you made a local installation, you can write localhost there. You need to repeat this step for each manager you want to register the sensor. When you are not sure about how your sensor should be registered, just start the sensor, which should then provide you with the prelude-admin options to use for registering it: \begin{lyxcode} prelude-client-profile:~error~creating~prelude-client:~ Could~not~open~AnalyzerID~file. Basic~file~configuration~does~not~exist.~Please~run~: prelude-admin~register~prelude-lml~\char`\"{}idmef:w~admin:r\char`\"{}~ -{}-uid~1000~-{}-gid~100~program~to~setup~the~analyzer. Be~aware~that~you~should~replace~the~\char`\"{}\char`\"{}~argument~with the~server~address~this~analyzer~is~reporting~to~as~argument. \char`\"{}prelude-admin\char`\"{}~should~be~called~for~each~configured~server~address. \end{lyxcode} The default is to create the sensor profile using the UID and GID of the user who launched the prelude-admin command. If you want the profile to be run by another set of permission, use the --uid and --gid options. Here is an example on registering 'prelude-lml' to a prelude-manager running on the same machine: \begin{lyxcode} \$~prelude-admin~register~prelude-lml~\char`\"{}idmef:w~admin:r\char`\"{}~localhost \end{lyxcode} prelude-admin will ask you to start another instance of 'prelude-admin' on the machine where the prelude-manager server is listening (localhost in this example). \begin{lyxcode} You~now~need~to~start~\char`\"{}prelude-admin\char`\"{}~on~the~server~host~where~you need~to~register~to: use:~\char`\"{}prelude-admin~registration-server~\char`\"{}~example: \char`\"{}prelude-admin~registration-server~prelude-manager\char`\"{} This~is~used~in~order~to~register~the~'sending'~analyzer~to~the 'receiving'~analyzer.~~should~be~set~to~the~profile name~of~the~'receiving'~analyzer,~the~one~where~'sending'~analyzer will~register~to. Please~remember~that~\char`\"{}prelude-admin\char`\"{}~should~be~used~to~register~every server~used~by~this~analyzer. \end{lyxcode} Now start prelude-admin using the registration-server command, and the profile name used by the 'prelude-manager': \begin{lyxcode} \$~prelude-admin~registration-server~prelude-manager \end{lyxcode} This will display the output: \begin{lyxcode} -~Starting~registration~server.~ ~~-~generated~one-shot~password~is~\char`\"{}deadbeaf\char`\"{}. ~~~~ ~~~~This~password~will~be~requested~by~\char`\"{}prelude-admin\char`\"{}~in~order~to ~~~~connect.~Please~remove~the~first~and~last~quote~from~this~password ~~~~before~using~it. ~~-~Waiting~for~install~request~from~peer... \end{lyxcode} As you can see, the generated password is \char`\"{}deadbeaf\char`\"{}. That is what you need to type in the session of prelude-admin on the prelude-lml side. There, you will see: \begin{lyxcode} -~Enter~registration~one~shot~password:~{[}you~don't~see~this,~but deadbeaf~is~typed]~ -~Please~confirm~one~shot~password:~{[}you~don't~see~this,~but~deadbeaf is~typed]~ -~connecting~to~registration~server~(localhost:5553)...~ -~Sending~certificate~request.~ -~Receiving~CA~signed~certificate.~ -~Receiving~CA~certificate. -~prelude-lml~registration~to~localhost~successful. \end{lyxcode} and on the server side: \begin{lyxcode} -~Waiting~for~install~request~from~peer...~ -~Connection~from~127.0.0.1:57232.~ -~Waiting~for~client~certificate~request.~ -~Analyzer~with~ID=\char`\"{}1537698187535812\char`\"{}~ask~for~registration~with permission=\char`\"{}idmef:w~admin:r\char`\"{}.~Approve~registration~{[}y/n]:~y Registering~analyzer~\char`\"{}1537698187535812\char`\"{}~with~permission~\char`\"{}idmef:w admin:r\char`\"{}.~-~Generating~signed~certificate~for~client.~ -~Sending~server~certificate~to~client.~ -~127.0.0.1:30098~successfully~registered. \end{lyxcode} The operation was successful! congratulations, you now have a sensor up and running. \subsection{Installing the Prewikka console } This section explains how to install the Prelude frontend Prewikka using the tarball available from the Prelude website. However, Prewikka might be included with your distribution as a package and it would be easier to install it this way. \paragraph*{Requirements} {*} Prewikka 0.9.9 depends on libpreludedb version 0.9.9 (database schema 0.9.1) {*} Prewikka 0.9.4 depends on libpreludedb version 0.9.7 (database schema 0.9.1) {*} Prewikka 0.9.1 and 0.9.2 depends on libpreludedb version 0.9.1 (database schema 0.9.1) \paragraph*{Get the sources} Download Prewikka at http://www.prelude-ids.org/download/releases/prewikka-latest.tar.gz \paragraph*{Install} You might install Prewikka as root: \begin{lyxcode} \#~python~setup.py~install \end{lyxcode} Or as an user: \begin{lyxcode} \$~python~setup.py~install~-{}-prefix~/prefix/where/prewikka/should/be/installed \end{lyxcode} You will need Python 2.3 from http://www.python.org/ and Cheetah templates for Python from http://cheetahtemplate.org/. Additionlally you might need python2.3-dev. Create the \paragraph*{Prewikka database} Make sure the Prelude Framework (libprelude + libpreludedb with python bindings) is installed. Please read: https://trac.prelude-ids.org/wiki/InstallingPrelude. \paragraph*{MySQL} \subparagraph*{Database creation} Connect to your database server using the mysql client like this: \begin{lyxcode} \$~mysql~-u~root~-p~ Enter~password: \end{lyxcode} where \char`\"{}root\char`\"{} is the name of the database administrator (this is the default account on mysql) and -p will prompt you for a password (by default the root account has no password on mysql and is only accessible from localhost). Then, if everything is ok, you should see something like this: \begin{lyxcode} Welcome~to~the~MySQL~monitor.~Commands~end~with~;~or~\textbackslash{}g. Your~MySQL~connection~id~is~303~to~server~version:~4.0.22-log Type~'help;'~or~'\textbackslash{}h'~for~help.~ Type~'\textbackslash{}c'~to~clear~the~buffer. mysql> \end{lyxcode} To create a new database named 'prewikka' (for example): \begin{lyxcode} mysql>~CREATE~database~prewikka;~Query~OK,~1~row~affected~(0.05~sec) \end{lyxcode} \subparagraph*{Create a dedicated user to access the database (optional)} You might want to access your database through a didacted user (if you don't have already one). If you want to create a new user called 'prewikka' with the password 'password' that we will have full access on a database called 'prewikka' but only from localhost, use the following query: \begin{lyxcode} GRANT~ALL~PRIVILEGES~ON~prewikka.{*}~TO~prewikka@'localhost'~ IDENTIFIED~BY~'password'; \end{lyxcode} \subparagraph*{Tables creation} The final step (supposing you have prewikka installed in /usr): \begin{lyxcode} \$~mysql~-u~prewikka~prewikka~-p~<~/usr/share/prewikka/database/mysql.sql~ Enter~password: \end{lyxcode} Enter your password, and the tables will be created. For more details about MySQL databases/tables/users creation, please refer to http://dev.mysql.com/doc/mysql/en/tutorial.html \paragraph*{PostgreSQL} \subparagraph*{Database creation} Connect to your database server using the psql client like this: \begin{lyxcode} \$~PGPASSWORD=your\_password~psql~-U~postgres \end{lyxcode} where \char`\"{}postgres\char`\"{} is the name of the database administrator (this is the default account on postgresql) and the PGPASSWORD environnement variable is set to the correct password. Then, if everything is ok, you should see something like this: \begin{lyxcode} Welcome~to~psql~7.3.4,~the~PostgreSQL~interactive~terminal. Type:~\textbackslash{}copyright~for~distribution~terms~ ~~~~~~\textbackslash{}h~for~help~with~SQL~commands~ ~~~~~~\textbackslash{}?~for~help~on~internal~slash~commands~ ~~~~~~\textbackslash{}g~or~terminate~with~semicolon~to~execute~query~ ~~~~~~\textbackslash{}q~to~quit postgres=\#~ \end{lyxcode} To create a new database named 'prewikka' (for example): \begin{lyxcode} postgres>~CREATE~database~prewikka;~CREATE~DATABASE \end{lyxcode} \subparagraph*{Create a dedicated user to access the database (optional)} You might want to access your database through a didacted user (if you don't have already one). If you want to create a new user called 'prewikka' with the password 'prewikka' that we will have full access on a database called 'prewikka', use the following query: \begin{lyxcode} CREATE~USER~prewikka~WITH~ENCRYPTED~PASSWORD~'prewikka'~ NOCREATEDB~NOCREATEUSER; \end{lyxcode} \subparagraph*{Tables creation} The final step (supposing you have prewikka installed in /usr): \begin{lyxcode} \$~PGPASSWORD=prewikka~psql~-U~prewikka~-d~prewikka~<~/usr/share/prewikka/database/pgsql.sql \end{lyxcode} For more details about PostgreSQL databases/tables/users creation, please refer to http://www.postgresql.org/docs/8.0/interactive/index.html \paragraph*{SQLite3} \subparagraph*{Database and tables creation} Make sure /usr/local/etc/prelude-db has the rights to read for and only for user prelude (or root if you have not created one). \begin{lyxcode} \$~sqlite3~/usr/local/etc/prelude-db/prelude-sqlite-PREWIKKA.sql~< /usr/share/prewikka/database/sqlite.sql \end{lyxcode} then, don't follow the following instructions concerning database: \begin{lyxcode} {[}idmef\_database]~type:~sqlite3~file: /usr/local/etc/prelude-db/prelude-sqlite-IDMEF-classic.sql {[}database]~type:~sqlite3~file: /usr/local/etc/prelude-db/prelude-sqlite-PREWIKKA.sql \end{lyxcode} \paragraph*{Editing prewikka.conf} Once you have created the database for Prewikka you need to edit /etc/prewikka/prewikka.conf to fit your database settings prior to starting Prewikka. \begin{lyxcode} {[}interface]~ \#This~is~the~name~at~the~top~right~and~left~of~the~Prewikka~interface~ \#You~can~change~it~or~leave~as~is~software:~Prewikka~place:~company~ \#ltd.~title:~Prelude~management \#The~following~are~the~setting~for~your~prelude~database~{[}idmef\_database]~ type:~mysql~ host:~localhost~ user:~prelude~ pass:~prelude~ name:~prelude \#This~is~the~database~information~for~the~prewikka~DB~you~created~ \#above~ {[}database]~ type:~mysql~ host:~localhost~ user:~prewikka~ pass:~prewikka~ name:~prewikka \#You~can~comment~this~out~to~stop~logs~from~writing~to~stderr~ {[}log~stderr] \#No~real~need~to~edit~this~except~to~increase/decrease~expiration~time {[}auth~loginpassword]~ expiration:~60 \end{lyxcode} \paragraph{Running Prewikka from the Apache web server (CGI/Apache) } \paragraph{Apache / CGI setup with VirtualHost?} \begin{lyxcode} ~ ~~ServerName~my.server.org~ ~~Setenv~PREWIKKA\_CONFIG~\char`\"{}/etc/prewikka/prewikka.conf\char`\"{} ~ ~~AllowOverride~None~ ~~Options~ExecCGI ~~~ ~~~~AddHandler~cgi-script~.cgi~ ~~ ~~Order~allow,deny~ ~~Allow~from~all~ ~~Alias~/prewikka/~/usr/share/prewikka/htdocs/~ ~~ScriptAlias~/~/usr/share/prewikka/cgi-bin/prewikka.cgi \end{lyxcode} Note that the PREWIKKA\_CONFIG environment variable is optional, if unset the default configuration file relative to your installation path will be used. \paragraph*{Apache / mod\_python setup with VirtualHost?} \begin{lyxcode} ~ ~~ServerName~my.server.org ~ ~~SetHandler~mod\_python~ ~~PythonHandler~prewikka.ModPythonHandler~ ~~PythonOption~PrewikkaConfig~/etc/prewikka/prewikka.conf~ ~ ~~SetHandler~None~ ~~Alias~/prewikka~/usr/share/prewikka/htdocs~ \end{lyxcode} Note that the PrewikkaConfig? settings is optional, if unset the default configuration file relative to your installation path will be used. \paragraph*{Running Prewikka from the lighttpd webserver} \subparagraph*{lighttpd setup with mod\_cgi} First, make sure you enable mod\_cgi in your lighttpd.conf, and add prewikka.cgi to your server.indexfiles: \begin{lyxcode} server.modules~=~(\char`\"{}mod\_cgi\char`\"{})~ server.indexfiles~=~(\char`\"{}prewikka.cgi\char`\"{}) \end{lyxcode} Then, add the following alias and cgi options: \begin{lyxcode} \$HTTP{[}\char`\"{}url\char`\"{}]~=\textasciitilde{}~\char`\"{}\textasciicircum{}/prewikka\char`\"{}~\{~ ~~alias.url~=~(~ ~~~~\char`\"{}/prewikka/\char`\"{}~=>~\char`\"{}/usr/share/prewikka/htdocs\char`\"{},~ ~~~~\char`\"{}/prewikka\char`\"{}~=>~\char`\"{}/usr/share/prewikka/cgi-bin\char`\"{}~ ~~~~)~ ~~cgi.assign~=~(~\char`\"{}.cgi\char`\"{}~=>~\char`\"{}\char`\"{}~) \} \end{lyxcode} With newer versions of lighttpd like 1.4.11, you should use the following cgi options instead: \begin{lyxcode} \$HTTP{[}\char`\"{}url\char`\"{}]~=\textasciitilde{}~\char`\"{}\textasciicircum{}/prewikka\char`\"{}~\{~ ~~alias.url~=~(~ ~~~~\char`\"{}/prewikka/prewikka/images\char`\"{}~=>~\char`\"{}/usr/share/prewikka/htdocs/images\char`\"{}, ~~~~\char`\"{}/prewikka/prewikka/css\char`\"{}~=>~\char`\"{}/usr/share/prewikka/htdocs/css\char`\"{}, ~~~~\char`\"{}/prewikka/prewikka/js\char`\"{}~=>~\char`\"{}/usr/share/prewikka/htdocs/js\char`\"{}, ~~~~\char`\"{}/prewikka\char`\"{}~=>~\char`\"{}/usr/share/prewikka/cgi-bin/prewikka.cgi\char`\"{}~ ~~~~)~ ~~cgi.assign~=~(~\char`\"{}.cgi\char`\"{}~=>~\char`\"{}\char`\"{}~)~ \} \end{lyxcode} You should then be able to access prewikka through http://yourmachine/prewikka. \paragraph*{Running Prewikka from the boa webserver} Edit /etc/boa/boa.conf and append the following lines: \begin{lyxcode} \#~prewikka~addon-lines~BEGIN~\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# Alias~/prewikka/prewikka/images~/usr/share/prewikka/htdocs/images Alias~/prewikka/prewikka/css~/usr/share/prewikka/htdocs/css~Alias /prewikka/prewikka/js~/usr/share/prewikka/htdocs/js ScriptAlias~/prewikka/~/usr/share/prewikka/cgi-bin/ \#~prewikka~addon-lines~END~\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \end{lyxcode} You should then be able to access prewikka through http://yourmachine/prewikka/prewikka.cgi. This setup works fine at least with boa-0.94.14. With newer versions of prewikka you need a patched version of boa. The MAX\_HEADER\_LENGTH value (a compiled in parameter) is too small for prewikka, but this is very easy to fix if you are able to compile boa by yourself. Simply change the value of MAX\_HEADER\_LENGTH from 1024 to 2048 in file src/defines.h and compile the sources. \paragraph*{Running Prewikka from the command line tool} If you didn't install Prewikka system wide (ie: you specified a prefix), use: \begin{lyxcode} \$~PYTHONPATH=\$prefix/lib/python2.3/site-packages \$prefix/bin/prewikka-httpd \end{lyxcode} If you installed Prewikka system wide: \begin{lyxcode} \$~/usr/bin/prewikka-httpd \end{lyxcode} You can then use your browser to connect to your machine on port 8000. The default login/password is admin: please remember to change it. \paragraph*{Initial login} Once everything is setup, you can use your browser to connect to the machine were Prewikka was installed. If you are not using Apache support, then remeber you should use the port 8000 to access Prewikka. The default login/password is admin: please remember to change it. \paragraph*{SELinux impact (Fedora Core 3)} If you find that prewikka is not able to connect to the local MySQL server then you may be encountering a problem with SELinux. Starting with Fedora Core 3, SELinux is turned on by default. SELinux is the Secure Edition that has extra security features. There are many ways to handle this, but a convenient way is from the Start menu on the desktop. Use System Settings \textgreater{} Security Settings \textgreater{} SELinux. You can disable SELinux completely or just for the mysqld daemon. (gdk - Telcordia 5/2/05) \paragraph*{See also} \begin{itemize} \item InstallingPrewikka \item ExecutionPrewikka \end{itemize}