Security stuff:
Prelude IDS (deprecated):In order to get Prelude IDS and Prewikka installed on our local system we need also MySQL (Prelude supports other SQL-databases too. So it should be possible to adapt and use this description but in this case we need also a modified libpreludedb package that has included the concerning database support) The concerning packages are part of my Fedora and OpenSUSE repository.
Making MySQL safe and secure
(only for newbies or when Prelude/Prewikka will be the only users of MySQL.- deleting the test database (nobody needs this db):
root@bassano> mysql -u root mysql> DROP DATABASE test;
- Setting mysql root password:
mysql> USE mysql; mysql> SET PASSWORD FOR root@localhost=PASSWORD('yourrootpasswd');
- Since prewikka and the prelude manager will be running on this host we remove all existing users with empty passwords and all non localhost users (this users exist after installation of MySQL on Fedora or OpneSUSE)
mysql> DELETE FROM db WHERE user=''; mysql> DELETE FROM user WHERE user=''; mysql> DELETE FROM user WHERE host<>'localhost'; mysql> quit
Prelude Library Installation
After MySQL is up and running we install the prelude library rpms on our local host (base lib is needed on all hosts (sensor and management hosts) wheras the database lib is only needed on management host)root@bassano> rpm -ihv libprelude-0.9...rpm root@bassano> rpm -ihv libprelude-python-0.9...rpm root@bassano> rpm -ihv libpreludedb-0.9...rpm root@bassano> rpm -ihv libpreludedb-python-0.9...rpmThen we create the prelude mysql database including the prelude MySQL user:
root@bassano> mysql -u root -p mysql> CREATE database prelude; mysql> GRANT ALL PRIVILEGES ON prelude.* TO prelude@localhost IDENTIFIED BY 'yourpreludepasswd'; mysql> quit root@bassano> mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Prelude Manager Installation
The next step is the installation of the prelude manager:root@bassano> rpm -ihv prelude-manager-0.9...rpmWe modify the prelude manager configuration so that it will use MySQL as its database. Therefore we edit /etc/prelude-manager/prelude-manager.conf so that it has the following db-section activated:
... [db] type = mysql host = localhost port = 3306 name = prelude user = prelude pass = yourpreludepasswd ...Then comes the TLS stuff for the prelude manager (key creation)
root@bassano> prelude-adduser add prelude-manager --uid 0 --gid 0The first part of the Prelude IDS management is now installed and configured so we are now able to start the prelude-manager:
root@bassano> /sbin/service prelude-manager restart
Prewikka Installation
Now it's time for prewikka the Prelude IDS Web interface installation:root@bassano> rpm -ihv prewikka-0.9...rpmPrewikka uses an additional database. Therefore we create the prewikka MySQL database and user.
root@bassano> mysql -u root -p mysql> CREATE database prewikka; mysql> GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@localhost IDENTIFIED BY 'yourprewikkapasswd'; mysql> quit root@bassano> mysql -u prewikka -p prewikka < /usr/share/prewikka/database/mysql.sqlFor the web interface we install then the concerning prewikka webserver RPM (I prefer the boa one for the boa webserver)
root@bassano> rpm -ihv prewikka-boa-0.9...rpmThen we modify the prewikka configuration so that it will use prelude and prewikka MySQL databases. Therefore we edit /etc/prewikka/prewikka.conf:
... [idmef database] type: mysql host: localhost user: prelude pass: yourpreludepasswd name: prelude ... [database] type: mysql host: localhost user: prewikka pass: yourprewikkapasswd name: prewikka ...From now on we can access to our local Prelude IDS via prewikka using our favourite web browser
For boa: http://localhost/prewikka/prewikka.cgi
For apache: http://localhost/prewikka/
For own: http://localhost:8000
(user and password are admin and at least the password should be changed immediately)
Prelude Lml Installation
Installing the prelude-lml sensor (for logfile supervision):root@root@bassano> rpm -ihv prelude-lml-0.9...rpmTLS registration of the prelude-lml sensor: (We need two terminal sessions)
Terminal 1 (client side)
root@bassano> prelude-adduser register prelude-lml "idmef:w admin:r" \ 127.0.0.1 --uid 0 --gid 0Terminal 2 (server side)
root@bassano> prelude-adduser registration-server prelude-managerWhen Terminal2 has created the one-shot password we insert it on Terminal1 and follow the instructions on both terminals up to successful registration of our prelude-lml sensor.
Don't forget to modify /etc/prelude-lml/prelude-lml.conf (which logfiles should be checked) and /etc/prelude-lml/ruleset/pcre.rules, /etc/prelude-lml/ruleset/single.rules (for commenting out rules that are not applicable) After all we are now able to starting the prelude-lml sensor:
root@bassano> /sbin/service prelude-lml restart
Snort Installation (using my prelude-snort packages)
Installing the prelude-snort sensor (network supervision):root@root@bassano> rpm -ihv prelude-snort...rpmTLS registration of the prelude-snort sensor: (We need two terminal sessions)
Terminal 1 (client side)
root@bassano> prelude-adduser register snort "idmef:w admin:r" \ 127.0.0.1 --uid 8000 --gid 8000Note: uid/gid are the numerical ids of the installed snort user (prelude-snort doesn't run as root. If you want to change this edit /etc/sysconfig/prelude-snort.sysconfig).
Terminal 2 (server side)
root@bassano> prelude-adduser registration-server prelude-managerWhen Terminal2 has created the one-shot password we insert it on Terminal1 and follow the instructions on both terminals up to successful registration of our prelude-snort sensor.
Prelude-snort configuration:
- After installing the snort sensor we need some snort rules too. We need at least the first one or define all rules by ourselves.
root@root@bassano> rpm -ihv prelude-snort-rules-...rpm root@root@bassano> rpm -ihv prelude-snort-communityrules-...rpm root@root@bassano> rpm -ihv prelude-snort-bleedingrules-...rpm
/etc/sysconfig/prelude-snort.sysconfig
... output alert_prelude: profile=snort ...
Example "community-bot.rules"
include $RULE_PATH/community-bot.rules
... # Configure the detection engine # =============================== config detection: search-method ac-bnfa ...
root@bassano> /sbin/service prelude-snort restartTake a look in your /var/log/messages to see what happens especially when snort doesn't want to run. If snort has problems with at least one rule it won't start.