Security stuff:

Prelude IDS (deprecated):

In order to get Prelude IDS and Prewikka installed on our local system we need also MySQL (Prelude supports other SQL-databases too. So it should be possible to adapt and use this description but in this case we need also a modified libpreludedb package that has included the concerning database support) The concerning packages are part of my Fedora and OpenSUSE repository.

Making MySQL safe and secure

(only for newbies or when Prelude/Prewikka will be the only users of MySQL.

• deleting the test database (nobody needs this db):

root@bassano> mysql -u root
 mysql> DROP DATABASE test;

• Setting mysql root password:

 mysql> USE mysql;
 mysql> SET PASSWORD FOR root@localhost=PASSWORD('yourrootpasswd');
                

• Since prewikka and the prelude manager will be running on this host we remove all existing users with empty passwords and all non localhost users (this users exist after installation of MySQL on Fedora or OpneSUSE)

 mysql> DELETE FROM db WHERE user='';
 mysql> DELETE FROM user WHERE user='';
 mysql> DELETE FROM user WHERE host<>'localhost';
 mysql> quit
                

Prelude Library Installation

After MySQL is up and running we install the prelude library rpms on our local host (base lib is needed on all hosts (sensor and management hosts) wheras the database lib is only needed on management host)

root@bassano> rpm -ihv libprelude-0.9...rpm
root@bassano> rpm -ihv libprelude-python-0.9...rpm
root@bassano> rpm -ihv libpreludedb-0.9...rpm
root@bassano> rpm -ihv libpreludedb-python-0.9...rpm
                    

Then we create the prelude mysql database including the prelude MySQL user:

root@bassano> mysql -u root -p
 mysql> CREATE database prelude;
 mysql> GRANT ALL PRIVILEGES ON prelude.* TO prelude@localhost
 IDENTIFIED BY 'yourpreludepasswd';
 mysql> quit

root@bassano> mysql -u prelude -p prelude <
     /usr/share/libpreludedb/classic/mysql.sql
                    

Prelude Manager Installation

The next step is the installation of the prelude manager:

root@bassano> rpm -ihv prelude-manager-0.9...rpm
                    

We modify the prelude manager configuration so that it will use MySQL as its database. Therefore we edit /etc/prelude-manager/prelude-manager.conf so that it has the following db-section activated:

...
[db]
type = mysql
host = localhost
port = 3306
name = prelude
user = prelude
pass = yourpreludepasswd
...
                    

Then comes the TLS stuff for the prelude manager (key creation)

root@bassano> prelude-adduser add prelude-manager --uid 0 --gid 0
                    

The first part of the Prelude IDS management is now installed and configured so we are now able to start the prelude-manager:

root@bassano> /sbin/service prelude-manager restart
                    

Prewikka Installation

Now it's time for prewikka the Prelude IDS Web interface installation:

root@bassano> rpm -ihv prewikka-0.9...rpm
                    

Prewikka uses an additional database. Therefore we create the prewikka MySQL database and user.

root@bassano> mysql -u root -p
 mysql> CREATE database prewikka;
 mysql> GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@localhost
 IDENTIFIED BY 'yourprewikkapasswd';
 mysql> quit

root@bassano> mysql -u prewikka -p prewikka <
      /usr/share/prewikka/database/mysql.sql
                    

For the web interface we install then the concerning prewikka webserver RPM (I prefer the boa one for the boa webserver)

root@bassano> rpm -ihv prewikka-boa-0.9...rpm
                    

Then we modify the prewikka configuration so that it will use prelude and prewikka MySQL databases. Therefore we edit /etc/prewikka/prewikka.conf:

...
[idmef database]
type: mysql
host: localhost
user: prelude
pass: yourpreludepasswd
name: prelude
...

[database]
type: mysql
host: localhost
user: prewikka
pass: yourprewikkapasswd
name: prewikka
...
                    

From now on we can access to our local Prelude IDS via prewikka using our favourite web browser
For boa: http://localhost/prewikka/prewikka.cgi
For apache: http://localhost/prewikka/
For own: http://localhost:8000
(user and password are admin and at least the password should be changed immediately)

Prelude Lml Installation

Installing the prelude-lml sensor (for logfile supervision):

root@root@bassano> rpm -ihv prelude-lml-0.9...rpm
                    

TLS registration of the prelude-lml sensor: (We need two terminal sessions)

Terminal 1 (client side)

root@bassano> prelude-adduser register prelude-lml "idmef:w admin:r" \
  127.0.0.1 --uid 0 --gid 0
                    

Terminal 2 (server side)

root@bassano> prelude-adduser registration-server prelude-manager

When Terminal2 has created the one-shot password we insert it on Terminal1 and follow the instructions on both terminals up to successful registration of our prelude-lml sensor.

Don't forget to modify /etc/prelude-lml/prelude-lml.conf (which logfiles should be checked) and /etc/prelude-lml/ruleset/pcre.rules, /etc/prelude-lml/ruleset/single.rules (for commenting out rules that are not applicable) After all we are now able to starting the prelude-lml sensor:

root@bassano> /sbin/service prelude-lml restart
                    

Snort Installation (using my prelude-snort packages)

Installing the prelude-snort sensor (network supervision):

root@root@bassano> rpm -ihv prelude-snort...rpm
                   

TLS registration of the prelude-snort sensor: (We need two terminal sessions)

Terminal 1 (client side)

root@bassano> prelude-adduser register snort "idmef:w admin:r" \
  127.0.0.1 --uid 8000 --gid 8000
                    

Note: uid/gid are the numerical ids of the installed snort user (prelude-snort doesn't run as root. If you want to change this edit /etc/sysconfig/prelude-snort.sysconfig).

Terminal 2 (server side)

root@bassano> prelude-adduser registration-server prelude-manager
                   

When Terminal2 has created the one-shot password we insert it on Terminal1 and follow the instructions on both terminals up to successful registration of our prelude-snort sensor.


Prelude-snort configuration:

• After installing the snort sensor we need some snort rules too. We need at least the first one or define all rules by ourselves.

root@root@bassano> rpm -ihv prelude-snort-rules-...rpm
root@root@bassano> rpm -ihv prelude-snort-communityrules-...rpm
root@root@bassano> rpm -ihv prelude-snort-bleedingrules-...rpm
                    

• Then we have to edit snort's config files. For interface selection and other snort command line parameters edit:
  /etc/sysconfig/prelude-snort.sysconfig
  
  
• When using my prelude-snort package the name of snort's other configfile is /etc/prelude-snort/prelude-snort.conf. The most important change is the line for activating the prelude output module.

...
output alert_prelude: profile=snort
...
                    

• Then we comment out the lines with preprocessor dcerpc because there is no preprocessor dcerpc.
  
  
• For activating rules from the Community Rules or Bleeding Edge Rules we append the file names of the rules to the rules section. The rules directory is /etc/prelude-snort/rules.
  
  Example "community-bot.rules"

  include $RULE_PATH/community-bot.rules
                      

• Other useful changes:

  ...
  # Configure the detection engine
  # ===============================
  config detection: search-method ac-bnfa
  ...
                      

After all we are now able to starting the prelude-snort sensor:

root@bassano> /sbin/service prelude-snort restart
                    

Take a look in your /var/log/messages to see what happens especially when snort doesn't want to run. If snort has problems with at least one rule it won't start.