Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon - Page 2
Prewikka is the graphical frontend to Prelude, using a web server.
Prewikka requires two databases: one to get the Prelude alerts (which is the same as configured before), and one to store its own data (prewikka). Actually, the Ubuntu packages does only create the prewikka database, and does not configure access to Prelude alerts, so alert installation needs to be done manually.
apt-get install prewikka
The package will install required dependencies (python, for ex), and will ask for the database configuration. As for Prelude, we choose to use dbconfig-common, give the administrator password and press enter for the DB password to let dbconfig-common generate one for us.
Configure Prelude-Manager Access
Get the password from prelude-manager configuration file /etc/prelude-manager/prelude-manager.conf and edit prewikka configuration file /etc/prewikka/prewikka.conf:
[idmef_database] type: mysql host: localhost user: prelude pass: ********** name: prelude
The [database] section is automatically configured by dbconfig-common, so do not modify it.
Web Server Configuration:
The configuration is explained in file /usr/share/doc/prewikka/README.Debian. You can choose between 3 configurations:
- Apache / CGI setup with VirtualHost
- Apache / mod_python setup with VirtualHost
- Prewikka from the command line tool
As an example I'll use the mod_python setup.
apt-get install libapache2-mod-python
Add a VirtualServer to your apache configuration with the following content:
ServerAdmin [email protected]domain.com
PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf
Alias /prewikka /usr/share/prewikka/htdocs
Alias /htdocs /usr/share/prewikka/htdocs
Restart you apache webserver and you can login to the prewikka interface.
Note: you can of course always us a setting for apache like:
NameVirtualHost xxx.xxx.xxx.xxx:80 <VirtualHost prewikka.yourdomain.tld:80>
This is usefull when you have other services running on your apache server.
Part 2: Installing And Configuring Snort
I will not write the complete howto for this since there is a hwto for snort: Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated).
I'll describe here the steps necessary to have snort logging to prelude. In this setup you also don't need to install a mysql database and the base webinterface since snort will log to prelude and you can use the prewikka interface to see the snort alerts.
Follow all of the steps described in the howto above and replace the entry below with the new one:
./configure -enable-dynamicplugin --with-mysql
./configure -enable-dynamicplugin --eanble-prelude
Instead of doing:
Scroll down the list to the section with "# output database: log, mysql, user=", remove the "#" from in front of this line.
Change the "user=root" to "user=snort", change the "password=password" to "password=snort_password", "dbname=snort"
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.
Scroll down the list to the section with "# output alert_prelude: profile=snort", remove the "#é in front of this line and that's it.
From step 5 on (5. Set up the Mysql database.) everything can be skipped.
Now we have to register the snort agent to the prelude manager:
prelude-adduser register snort "idmef:w" <manager address> --uid snort --gid snort
On the prelude manager server:
prelude-adduser registration-server prelude-manager
This will register the snort agent to the prelude manager, as you did above for the prelude-lml.
Once the registration process is complete run:
snort -c /etc/snort/snort.conf
If everything goes right than you will see:
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
- Connecting to 127.0.0.1:4690 prelude Manager server.
- TLS authentication succeed with Prelude Manager.
The entry eth0 depends on the ethernet adapter you specified. Important is that you see that snort is connecting to the prelude manager server and tls authentication was successfull.
If the agent is connecting, and you see snort in the agent list of prewikka than you can stop the process with ctrl-c and issue:
snort -c /snort/snort.conf -D
to start snort as a daemon. In the line above you can always add -i ethX if you don't listen on all network interfaces and want to specify a specific interface.