Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon
Everybody knows the problem, you have a IDS tool(s) installed and every tool has his own interface.
Prelude will allow to log all of the events to the prelude database and be consulted using one interface (prewikka). This howto will describe how to install and configure the different tools that will make up the complete solution.
This howto is based on bits and scraps I found in order to resolve some issues, parts from the manuals and my own experiance with installing the complete solution.
For more information on snort visit: www.snort.org
For more information on ossec visit: www.ossec.net
For more information on prelude visit: www.prelude-ids.org
Prerequisites:
Let's just assume you followed the The Perfect Server - Ubuntu Gutsy Gibbon (Ubuntu 7.10). If not follow that howto and only install / add those part's you havent got installed on your system.
The following packages are useful, so please check that they are installed correctly:
apt-get install ntpdate
apt-get install dbconfig-common
Installing And Configuring Prelude
Normally, we would have to compile and install libprelude, libpreludedb, and then create the databases. Luckely enough the packages are provide by the Ubuntu repositories.
Prelude Manager
apt-get install prelude-manager
- Using default TLS settings from /etc/prelude/default/tls.conf:
- Generated key size: 1024 bits.
- Authority certificate lifetime: unlimited.
- Generated certificate lifetime: unlimited.
- Creating analyzer prelude-manager.
- Creating /etc/prelude/profile/prelude-manager...
- Allocated ident for prelude-manager: 4232957740008155.
- Generating RSA private key... This might take a very long time.
[Increasing system activity will speed-up the process.]
- Generating 1024 bits RSA private key...
During the installation, the manager will create the profile for the prelude user. It can take a (very) long time, since GnuTLS tries to access /dev/random instead of /dev/urandom (for security reasons). This may change in the future (maybe using an option to have a faster generation, but crytographically less secure).
dbconfig will then ask you if you want it to configure the database automatically. If you don't want to, just say no, and configure everything manually (the sql scripts are in directory /usr/share/libpreludedb/). Let's suppose the answer is yes.
Note: the number of questions may change, depending on debconf verbosity (set using dpkg-reconfigure debconf), and dbconfig parameters, in file /etc/dbconfig-common/config.
configure database with dbconfig-common: yes
database type:
Set the type to the database you previously installed. In this case mysql.
Database admin password: ******
dbconfig-common will ask for a password for the 'prelude' user. If you don't provide any (just pressing enter), it will generate a random one. Don't worry, the configuration file will be update automatically.
dbconfig-common: writing config to /etc/dbconfig-common/prelude-manager.conf
Creating config file /etc/dbconfig-common/prelude-manager.conf with new version
granting access to database prelude for prelude@localhost: success.
verifying access for prelude@localhost: success.
creating database prelude: success.
verifying database prelude exists: success.
populating database via sql... done.
dbconfig-common: flushing administrative password
Starting Prelude Manager: prelude-manager.
The Ubunty package automatically creates the user and the database for prelude. If you want to change the password, do so first in mysql and after in /etc/prelude-manager/prelude-manager.conf.
Prelude-Manager should now be running:
ps auxw | grep manager
prelude 28530 0.0 0.1 59384 4480 ? Ssl 13:49 0:00 /usr/sbin/prelude-manager
The first part is over, you now have a manager up and running.
Listen address:
The default listen address is localhost (127.0.0.1). This means that you have to change this to add sensors on different hosts in order for the agents to be able to reach the prelude-manager.
Edit /etc/prelude-manager/prelude-manager.conf:
listen = xxx.xxx.xxx.xxx
Restart the server, and check the address (if you changed the address):
# /etc/init.d/prelude-manager stop
Stopping Prelude Manager: prelude-manager.
# /etc/init.d/prelude-manager start
Starting Prelude Manager: prelude-manager.
# netstat -pantu | grep prelude
tcp 0 0 192.168.66.1:4690 0.0.0.0:* LISTEN 30544/prelude-manager
Prelude-LML
You need to install prelude-lml on every host you want to monitor. Prelude-LML will analyze your logs and reports event to the managers.
# apt-get install prelude-lml
...
Starting Prelude LML: prelude-lml.
Before it can be used, two things needs to be done:
- The address of the manager must be configured on the lml
- The manager won't trust sensors, until they are registered
Manager address
If you changed the address the manager is listening on, you need to change the address in the client config on every machine you install prelude-lml .
The adress of the manager is stored in file /etc/prelude/default/client.conf:
[prelude]
server-addr = 127.0.0.1
Registering the sensor
Registering the sensor is a four-step process, which requires to run commands on both the sensor and the manager:
On the LML client, run the register command:
prelude-adduser register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
Tip: if you don't remember the command, just run prelude-lml. Since it is not registered, it will fail, but is smart enough to display the help:
# prelude-lml
- Subscribing plugin pcre[default]
- pcre plugin loaded 394 rules.
- Monitoring /var/log/messages through pcre[default]
* WARNING: /var/log/everything/current does not exist.
prelude-client: error starting prelude-client: could not open '/etc/prelude/profile/prelude-lml/analyzerid' for reading
Profile 'prelude-lml' does not exist. In order to create it, please run:
prelude-adduser register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0.
LML must be registered with uid and gid 0, since the process will be executed as root (to be able to analyze logs).
LML will then one for the One-Time Password(OTP), which will be provided by the manager:
Enter the one-shot password provided by the "prelude-adduser" program:
- enter registration one-shot password:
On the manager, run the following:
prelude-adduser registration-server prelude-manager
...
- Starting registration server.
- generated one-shot password is "dummypass".
...
Enter the password to the LML prompt:
- enter registration one-shot password:
- confirm registration one-shot password:
- connecting to registration server (127.0.0.1:5553)...
- Anonymous authentication to registration-server successful.
- Sending certificate request.
The LML is now waiting for the Manager to sign the certificate.
On the manager, validate the certificate signing request:
- Anonymous authentication one-shot password check successful.
- Waiting for client certificate request.
- Analyzer with ID="3559090256170900" ask for registration with permission="idmef:w".
Approve registration [y/n]: y
The certificate is generated and sent to the client:
- Registering analyzer "3559090256170900" with permission "idmef:w".
- Generating signed certificate for client.
- Sending server certificate to client.
- ::ffff:127.0.0.1:47054 successfully registered.
On the client you will see:
LML registration is successful
- Receiving signed certificate.
- Receiving CA certificate.
- prelude-lml registration to 127.0.0.1 successful.
Now, the manager and the sensor have a trust relation, and can send messages to each other.
This process takes some time, but it increases security and th communication between the sensor and the manager is encrypted.Finally, the LML sensor should be up too:
/etc/init.d/prelude-lml start
Starting Prelude LML: prelude-lml.
ps auxw | grep lml
root 1946 0.3 0.0 20856 3424 ? Ss 14:35 0:00 /usr/bin/prelude-lml -d -q -P /var/run/prelude-lml.pid
This concludes the first part.