banner ad

Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon Page 2

By admin on May 13, 2010 with Comments 0

Everybody knows the problem, you have a IDS tool(s) installed and every tool has his own interface. Prelude will allow to log all of the events to the prelude database
and be consulted using one interface (prewikka). This howto will
describe how to install and configure the different tools that will
make up the complete solution.

Install Prewikka

Prewikka is the graphical frontend to Prelude, using a web server.

 

Installation

Prewikka requires two databases: one to get the Prelude alerts (which is the same as configured before), and one to store its own data (prewikka). Actually, the Ubuntu packages does only create the prewikka database, and does not configure access to Prelude alerts, so alert installation needs to be done manually.

 

Install Prewikka

apt-get install prewikka

The package will install required dependencies (python, for ex), and will ask for the database configuration. As for Prelude,
we choose to use dbconfig-common, give the administrator password and
press enter for the DB password to let dbconfig-common generate one for
us.

 

Configure Prelude-Manager Access

Get the password from prelude-manager configuration file /etc/prelude-manager/prelude-manager.conf and edit prewikka configuration file /etc/prewikka/prewikka.conf:

vi /etc/prewikka/prewikka.conf

[idmef_database]
type: mysql
host: localhost
user: prelude
pass: **********
name: prelude

The [database] section is automatically configured by dbconfig-common, so do not modify it.

 

Web Server Configuration:

The configuration is explained in file /usr/share/doc/prewikka/README.Debian. You can choose between 3 configurations:

  • Apache / CGI setup with VirtualHost
  • Apache / mod_python setup with VirtualHost
  • Prewikka from the command line tool

As an example I’ll use the mod_python setup.

apt-get install libapache2-mod-python

 Add a VirtualServer to your apache configuration with the following content:

NameVirtualHost *<VirtualHost *>ServerAdmin admin@domain.com<Location />SetHandler mod_pythonPythonHandler prewikka.ModPythonHandlerPythonOption PrewikkaConfig /etc/prewikka/prewikka.conf</Location>

<Location /prewikka>SetHandler None</Location>

Alias /prewikka /usr/share/prewikka/htdocsAlias /htdocs /usr/share/prewikka/htdocs</VirtualHost>

Restart you apache webserver and you can login to the prewikka interface.

Note: you can of course always us a setting for apache like:

NameVirtualHost xxx.xxx.xxx.xxx:80
<VirtualHost prewikka.yourdomain.tld:80>

This is usefull when you have other services running on your apache server.

 

Part 2: Installing And Configuring Snort

I will not write the complete howto for this since there is a hwto for snort: Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated).

I’ll describe here the steps necessary to have snort logging to prelude. In this setup you also don’t need to install a mysql database and the base webinterface since snort will log to prelude and you can use the prewikka interface to see the snort alerts. 

Follow all of the steps described in the howto above and replace the entry below with the new one:

Replace 

./configure -enable-dynamicplugin –with-mysql
make
make install

With

./configure -enable-dynamicplugin –eanble-prelude
make
make install

Instead of doing:

Scroll down the list to the section with “# output database: log, mysql, user=“, remove the “#” from in front of this line.
Change the “user=root” to “user=snort”, change the “password=password” to “password=snort_password“, “dbname=snort
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

Do:

Scroll down the list to the section with “# output alert_prelude: profile=snort“, remove the “#é in front of this line and that’s it.

From step 5 on (5. Set up the Mysql database.) everything can be skipped.

Now we have to register the snort agent to the prelude manager:

prelude-adduser register snort “idmef:w” <manager address> –uid snort –gid snort

On the prelude manager server:

prelude-adduser registration-server prelude-manager

This will register the snort agent to the prelude manager, as you did above for the prelude-lml.

Once the registration process is complete run:

snort -c /etc/snort/snort.conf

If everything goes right than you will see:

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
- Connecting to 127.0.0.1:4690 prelude Manager server.
- TLS authentication succeed with Prelude Manager.

The entry eth0 depends on the ethernet adapter you specified. Important is that you see that snort is connecting to the prelude manager server and tls authentication was successfull.

If the agent is connecting, and you see snort in the agent list of prewikka than you can stop the process with ctrl-c and issue:

snort -c /snort/snort.conf -D

 to start snort as a daemon. In the line above you can always add -i ethX if you don’t listen on all network interfaces and want to specify a specific interface.

up

Copyright © 2008 Miguel Brams
All Rights Reserved.
Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Filed Under: Ubuntu

Tags:

RSSComments (0)

Trackback URL

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.