Here are some simple steps to set up your own prelude IDS. Prelude is a Universal "Security
Information Event Management" (SIEM) system. Prelude collects, archives, normalizes, sorts,
aggregates, correlates and reports all security-related events independently of the product brand or
license giving rise to such events.
Easy steps to create a structure as shown in the figure.
Prerequisites: Ubuntu server 12.0
Any one log monitoring system ( My fav is snort)
Prewikka.
Apt-get update
Apt-get upgrade
Apt-get install ntpdate
Apt-get install dbconfig-common
Apt-get install rng-tools (Edit vi /etc/default/rng-tools ->HRNGDEVICE=/dev/urandom)
Apt-get install mysql-server
Prelude-Manager
Apt-get install prelude-manager (vi /etc/default/prelude-manager ->run= yes)
(Edit /etc/prelude-manager/prelude-manager.conf for listen and relaying)
change the server ip on /etc/prelude/default/client.conf
Prelude-Correlator
Apt-get install prelude-correlator
Registration of prelude-correlator:
prelude-admin register prelude-correlator "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager
Prewikka
Apt-get install apache2
Apt-get install prewikka (add prewikka file containing following data on /etc/apache2/sites-available)
<VirtualHost *:80>
Setenv PREWIKKA_CONFIG "/etc/prewikka/prewikka.conf"
<Location "/">
AllowOverride None
Options ExecCGI
<IfModule mod_mime.c>
AddHandler cgi-script .cgi
</IfModule>
Order allow,deny
Allow from all
</Location>
Alias /prewikka/ /usr/share/prewikka/htdocs/ ScriptAlias / /usr/share/prewikka/cgi-bin/prewikka.cgi
</VirtualHost>
On /usr/bin/prewikka-httpd change port 8000 to 80 and edit /etc/prewikka/prewikka.conf
A2dissite (To disable Prewikka)
A2ensite (To enable Prewikka)
/etc/init.d/apache2 reload
Change the permission of /etc/prewikka/prewikka.conf (chmod 766)
Prelude-lml
Apt-get install prelude-lml
Check if it’s working f9 by typing prelude-lml
Registration of prelude-lml:
prelude-admin register prelude-lml "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager
Relaying:
Prelude-manager --relaying --parent-managers "x.x.x.x"
Edit following on /etc/prelude-manager/prelude-manager.conf
Relaying (uncomment this line)
Parent managers = x.x.x.x
Snort Installation
On snort-test machine:
apt-get install gcc
apt-get install g++
from packages- libgpg-error, libgcrypt, gnutls, pcre
apt-get install libprelude-dev
apt-get install libpreludedb-dev
apt-get install prelude-lml(register prelude-lml)
apt-get install snort
apt-get install snort-mysql
apt-get install snort-rules-default
apt-get install snort-common-libraries
Go to /etc/snort/snort.conf and edit following
Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in
front of this line and that's it.
prelude-adduser register snort "idmef:w" <manager address> --uid snort --gid snort (on snort agent)
prelude-adduser registration-server prelude-manager(On prelude-manager)
snort -c /etc/snort/snort.conf
With this your Prelude set up should be up and running in no time. Cheers!
Information Event Management" (SIEM) system. Prelude collects, archives, normalizes, sorts,
aggregates, correlates and reports all security-related events independently of the product brand or
license giving rise to such events.
Easy steps to create a structure as shown in the figure.
Prerequisites: Ubuntu server 12.0
Any one log monitoring system ( My fav is snort)
Prewikka.
Apt-get update
Apt-get upgrade
Apt-get install ntpdate
Apt-get install dbconfig-common
Apt-get install rng-tools (Edit vi /etc/default/rng-tools ->HRNGDEVICE=/dev/urandom)
Apt-get install mysql-server
Prelude-Manager
Apt-get install prelude-manager (vi /etc/default/prelude-manager ->run= yes)
(Edit /etc/prelude-manager/prelude-manager.conf for listen and relaying)
change the server ip on /etc/prelude/default/client.conf
Prelude-Correlator
Apt-get install prelude-correlator
Registration of prelude-correlator:
prelude-admin register prelude-correlator "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager
Prewikka
Apt-get install apache2
Apt-get install prewikka (add prewikka file containing following data on /etc/apache2/sites-available)
<VirtualHost *:80>
Setenv PREWIKKA_CONFIG "/etc/prewikka/prewikka.conf"
<Location "/">
AllowOverride None
Options ExecCGI
<IfModule mod_mime.c>
AddHandler cgi-script .cgi
</IfModule>
Order allow,deny
Allow from all
</Location>
Alias /prewikka/ /usr/share/prewikka/htdocs/ ScriptAlias / /usr/share/prewikka/cgi-bin/prewikka.cgi
</VirtualHost>
On /usr/bin/prewikka-httpd change port 8000 to 80 and edit /etc/prewikka/prewikka.conf
A2dissite (To disable Prewikka)
A2ensite (To enable Prewikka)
/etc/init.d/apache2 reload
Change the permission of /etc/prewikka/prewikka.conf (chmod 766)
Prelude-lml
Apt-get install prelude-lml
Check if it’s working f9 by typing prelude-lml
Registration of prelude-lml:
prelude-admin register prelude-lml "idmef:w admin:r" *managerhost* --uid 0 --gid 0 (uid and gid should be taken from /etc/passwd file)
prelude-admin registration-server prelude-manager
Relaying:
Prelude-manager --relaying --parent-managers "x.x.x.x"
Edit following on /etc/prelude-manager/prelude-manager.conf
Relaying (uncomment this line)
Parent managers = x.x.x.x
Snort Installation
On snort-test machine:
apt-get install gcc
apt-get install g++
from packages- libgpg-error, libgcrypt, gnutls, pcre
apt-get install libprelude-dev
apt-get install libpreludedb-dev
apt-get install prelude-lml(register prelude-lml)
apt-get install snort
apt-get install snort-mysql
apt-get install snort-rules-default
apt-get install snort-common-libraries
Go to /etc/snort/snort.conf and edit following
Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in
front of this line and that's it.
prelude-adduser register snort "idmef:w" <manager address> --uid snort --gid snort (on snort agent)
prelude-adduser registration-server prelude-manager(On prelude-manager)
snort -c /etc/snort/snort.conf
With this your Prelude set up should be up and running in no time. Cheers!
No comments :
Post a Comment