Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd February 2008, 12:58
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default Cannot connect snort with prelude manager - libprelude file 'missing'

Dear All,

I could get through 'Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated)' without problem but tried my hand at 'Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon' and cannot get snort to hook up with prelude.

WhenI start snort with snort -c /etc/snort/snort.conf snort aborts and I get the following error:
Code:
ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting..
I check the configuration out put of
Code:
./configure -enable-dynamic-plugin -enable-prelude
and I see the following:
Code:
[..]
checking for libprelude-config... no
checking for libprelude - version >= 0.9.6... no
*** The libprelude-config script installed by LIBPRELUDE could not be found
*** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in
*** your path, or set the LIBPRELUDE_CONFIG environment variable to the
*** full path to libprelude-config.
[..]
Now that is positively weired, as I have successfully installed prelude-manager and prelude-lml on my ubuntu 7.10 server and even succeeded connecting the manager with the agent. the version of the manager in the Ubuntu package is .9.8, the version of the agent is .9.10 so there should be no problem, one would have thought.

BTW, a search on libprelude-config with $ find -name "libprelude-config" gave no result.

Where should these libprelude files live? how can i see their version? How can I ensure snort knows where they are?

Any input is appreciated.

Thanks

chillifire



PS: The script 'Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon' has some typos:
It says
Code:
./configure -enable-dynamicplugin --eanble-prelude
I am usure it should be enable not eanble, but what about the hyphens? why has one parameter two (--), the other one hyphen (-)? One would think only one is correct? Can someone confirm please?

Also, it says further is the script:
Quote:
Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in front of this line and that's it.
well, that line does not exist. There are only the lines:
[..]
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
[..]
So should it be 'output alert_prelude', 'output alert_prelude: profile=snort-profile-name' or 'output alert_prelude: profile=snort'?

These things may not cause anything, as I have tried various combinations in several reinstalls and always come to the same error as shown above.

Last edited by chillifire; 23rd February 2008 at 13:22.
Reply With Quote
Sponsored Links
  #2  
Old 23rd February 2008, 13:21
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default Update - but no solution yet

Hi,
I had a look at the Ubuntu website and found two packages 'libprelude-dev' and 'libpreludedb-dev' which installed the repective libraries .9.12 for the prelude-manager and .9.14 for the prelude-lml. Now the error reported under the
Code:
 ./configure -enable-dynamic-plugin -enable-prelude
command does not occur anymore. But still, I get the same error when starting snort with
Code:
snort -c /etc/snort/snort.conf
it aborts with
Code:
ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting..
Any hints/input?

chillifire
Reply With Quote
  #3  
Old 23rd February 2008, 23:06
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Smile Resolved: Installed package rather than from source - all fine

Hi,
as the message says, I gave up installing from source and installed the packages snort snort-common snort-common-libraries snort-rules-default coming with Ubuntu. The configuration of /etc/snort/snort.conf of course still applies. All works like a charm now.

Granted, this only give you one release back (2.7.0 vs 2.8.0.1 from source) but what counts more with this are the rules. I the ruleset coming with the packe is from October last year. So I registered with snort (no subscription required), downloaded the newest ruleset for registered users (22 Jan this year) and installed as per the HowTo.

So 'source schmource' is all I can say. IMHO, stick with packages for Ubuntu/Debian whenever you can.

Although in the end 'I helped myself', I trust this is going to be a valuable hint for anyone else who tries.

Cheers

chillifire
Reply With Quote
  #4  
Old 24th February 2008, 08:01
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Can you not download the ubuntu source debs and then upgrade them instead. The build system should take care of all the dependencies.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 24th February 2008, 09:59
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default limitations of upgrade

Hi topdog,

apt-get upgrade will not install a newer version of the source just because 'it is there'. All the debian/ubuntu package installer will install for you is the version someone has cared to, well, pack into a package. It appears at about the time of 2.7.0 was the last time someone bothered, so that's the best version you can get in a package install versus source. So if you want the latest version right now, you will have to go to source.
Obviously eventually someone will assemble a package with a newer version.
But in the end, I prefer a package that works, even if 6 months outdated, to a source that don't on my distro.
Reply With Quote
  #6  
Old 24th February 2008, 13:33
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

What i mean is this
Code:
apt-get source <package name>
That will install the source and patches that were used to create the ubuntu package, you can then modify the build instructions and get your newer pristine source package in, then build using the same build instructions to build a new .deb package which is a newer version since it will use your newer pristine source.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #7  
Old 24th February 2008, 19:35
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Interesting. Sounds a bit like 'build your own package on the fly'
Was tempted to try this and I can see the command loads all the sources into /src Given my lack of experience in building experience, I do not know where to look for the package build instructions though - or even what I am looking for. Any advice?
Reply With Quote
  #8  
Old 25th February 2008, 17:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Chapter 3 on http://www.howtoforge.com/virtual-us...ix-ubuntu-7.10 shows how to build a .deb from a source package (Postfix in this example). You can adjust it to your needs.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 23rd September 2009, 21:44
linux_padawan linux_padawan is offline
Junior Member
 
Join Date: Feb 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default installing snort with Ubuntu packages

Quote:
Originally Posted by chillifire View Post
Hi,
as the message says, I gave up installing from source and installed the packages snort snort-common snort-common-libraries snort-rules-default coming with Ubuntu. The configuration of /etc/snort/snort.conf of course still applies. All works like a charm now.

Granted, this only give you one release back (2.7.0 vs 2.8.0.1 from source) but what counts more with this are the rules. I the ruleset coming with the packe is from October last year. So I registered with snort (no subscription required), downloaded the newest ruleset for registered users (22 Jan this year) and installed as per the HowTo.

So 'source schmource' is all I can say. IMHO, stick with packages for Ubuntu/Debian whenever you can.

Although in the end 'I helped myself', I trust this is going to be a valuable hint for anyone else who tries.

Cheers

chillifire
I have done all this and stil I get :ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting

when installing the common snort files did you see anything added that was different from installing from source?
Reply With Quote
  #10  
Old 29th September 2009, 16:25
linux_padawan linux_padawan is offline
Junior Member
 
Join Date: Feb 2007
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default OSSEC agents

The how to explains how to get the agent on the local server to work but not how to register agents from other boxes. I had to reinstall ossec on the server to and pick server configurations and now I can register agents from other boxes to the server. But all alerts are sent to the logs of the prelude server so I don't see any additional agents on the prewikka console. I would like to setup ossec on each box and have the ossec sensor be viewed on the prewikka console as a separate agent.

Has anybody had the same problem or know a solution to this...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
directories in /home/admispconfig/ispconfig renamed? Spudchat General 10 12th April 2007 20:37
Verify email setup meekish Installation/Configuration 28 27th October 2006 16:36
jamed up my table borders?? Boon-Dog-Danny Installation/Configuration 5 23rd September 2006 17:12
Howto suggestion suse PhP ver 4 + Ver 5 wwparrish Suggest HOWTO 11 7th August 2006 14:29
Debian install error jf1976 Installation/Configuration 25 19th January 2006 23:31


All times are GMT +2. The time now is 21:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.