OpenSourceSoftware, Security, Ubuntu

Ubuntu Gutsy with Prelude, Prelude-manager, Prelude-lml, Prewikka and Snort.

It has been a while since I have played with IDS, but I have always been interested in linux and security, so beside writing a logcleaner (for proof of concept to my self, that it is funky hard to see if anyone messes with your logfiles, even utmp and wtmp ) this week, I also wanted to test the Prelude-snort installation in Gutsy. All the installation is done on one server.

It started with a friend, saying that you never can be 100% sure that your system is not cracked… To be honest, paranoid as one should be, you should always consider your system hacked! And that what ever you do – you cant find me 😛 I 0wn you!

Back to business.. I believe this should do it:
aptitude install snort libprelude2 prelude-manager python-preludedb libpreludedb-dev prelude-manager libprelude-perl libpreludedb-perl prelude-lml munin munin-node mysql-server prewikka
(I feel handy caped without munin, so for me its a must)

The installation of prelude-manager will ask you for database info. This info you will have to add to the prewikka config: [idmef_database]. The installation of prewikka will ask you for database info to, so its pretty much straight forward. In the snort config you need to add something like: output alert_prelude: profile=snort

Then you need to add the sensors to the prelude-manager. First we add prelude-lml:

Open two consoles, and in console one do:
# prelude-adduser registration-server prelude-manager
Then in console two do:
# prelude-adduser register prelude-lml "idmef:w admin:r" localhost
(then follow the instructions given…)

And then for snort in console one:
# prelude-adduser registration-server prelude-manager
And for console two:
# prelude-adduser register snort "idmef:w" --uid 0 --gid 0
(I used uid and gid for the snort user, which depends on your installation.)

I started # prewikka-httpd &
And then I browsed http://my-gutsy:8000/. Default user/passwd is admin.

Configure prelude-lml (look into the config file..) to include /var/log/auth.log
Then ssh to your-gutsy-installation and use a wrong passwd. It should show up in prewikka alerts.

Port scan your-gutsy-installation, and hopefully it shows up in prewikka alerts.

The next step is to read more about prelude, and I recommend :
The handbook is a bit newer than the gutsy versions I believe. prelude-admin (in the docs) is prelude-adduser in gutsy.
Then you should read about snort:

After that, you can add lots of other cool sensors and get realy paranoid!
Do you see me now ? Or are your servers still cracked 😛


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s