Project

General

Profile

Prelude FAQ

Here you can find answers to some of the most frequently asked questions about Prelude. If you have a question not answered on this page, you can ask it on the Mailing Lists or in the IrcChannel.



Basics

What is Prelude?

Prelude is a Universal "Security Information Management" (SIM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

As well as being capable of recovering any type of log (system logs, syslog, flat files, etc.), Prelude benefits from a native support with a number of systems dedicated to enriching information even further (snort, samhain, ossec, auditd, etc.).

Security events are normalized thanks to a single format, called the "Intrusion Detection Message Exchange Format" (IDMEF), which is an international standard created upon the initiative of IETF along with the participation of Prelude teams to enable interacting with the various security tools currently available on the market.

Prelude permits alert collection to WAN scale, whether its scope covers a city, a country, a continent or the world.

Who is Prelude?

You can find all the contributers to Prelude on the Prelude Community Page.

How do I get Prelude?

You can download Prelude on the Prelude Download Page.

How do I get help with Prelude?

About Prelude

What is the current front-end for Prelude?

Prewikka is the official front-end, written in Python.

To learn more about Prewikka read the Prewikka Manual.

What are the differences between Prelude and Snort?

Snort is a Network Intrusion Detection System (NIDS). Prelude is a Security Information Management (SIM) system. Snort is part of the Prelude suite.

We believe that if it is easy for a malicious user to evade the detection of a single IDS (NIDS, HIDS, etc.), it becomes exponentially more difficult to get around the defences when there are multiple protection mechanisms.

Prelude comes with a large set of sensors, each of them monitoring different kinds of events.

To learn more about Prelude compatibility, see the Prelude Compatibility Page.

Prelude Components

What is Prelude-Manager?

Prelude-Manager is a high availability server.

Read the Prelude-Manager description on the Prelude Components page.

What is Libprelude?

Libprelude is the Prelude library.

Read the Libprelude description on the Prelude Components page.

What is LibpreludeDB?

LibpreludeDB is the Prelude DataBase library.

Read the LibpreludeDB description on the Prelude Components page.

What is Prelude-LML?

Prelude-LML is a log analyser.

Read the Prelude-LML description on the Prelude Components page.

What is Prelude-Correlator?

Prelude-Correlator is a rule-based correlation engine.

Read the Prelude-Correlator description on the Prelude Components page.

What is Prewikka?

Prewikka is the Official Prelude web Graphical User Interface (GUI).

Read the Prewikka description on the Prelude Components page.

Read the Prewikka Manual

What is Prelude-PFLogger?

Read the Prelude-PFLogger description on the Prelude Components page.

What is Prelude-NIDS?

Prelude-NIDS was the Prelude Network Intrusion Detection System and has been deprecated. You should use Snort instead.

Installation Help

Can I run the prelude suite on other UNICES?

Prelude programs has successully been tested under a wide range of architecture, such as, but not limited to: AIX, Tru64, Digital-Unix, MacOSX, Linux, FreeBSD, NetBSD, OpenBSD. If you encounter any problem, please contact us and report the problem.

Through which communication port sensors communicate with the manager?

IANA assigned port 4690 for Prelude-IDS Sensors<->Manager communication. See "Prior to this assignment, Prelude used port 5554.

[[BR":http://www.iana.org/assignments/port-numbers].]

Agents registration

Generating certificates can take hours!

Your system is lacking entropy. GnuTLS use the random generator to gather random data to generate certificates, and on some systems the generation of random data can be very so (a few bytes per second).

See the Entropy Page for a possible solution on Linux.

Getting the "TLS server certificate is NOT trusted" error

You most probably used the "sensor analyzer profile" instead of the "receiving analyzer profile" on the registration-server command line. You can find more information about your problem here: "Typical case: When you register a sensor, don't register it to the sensor itself!

sudo prelude-admin register NAME ...
sudo prelude-admin registration-server NAME

But register it to your prelude-manager, example:
sudo prelude-admin register NAME ...
sudo prelude-admin registration-server prelude-manager

How can I validate an IDMEF message ?

First run Prelude-Manager with XMLmod and activate the DTD validation option. Then, generate an exhaustive list of alerts supported by the sensor and correct any error. Open a bug on the ticket system, and ask a review of the alert dumped by the debug plugin.

[[BR":http://thread.gmane.org/gmane.comp.security.ids.prelude.user/1926/focus=1927]]

Prelude-Manager

I have the error: "could not insert message into database: Query error: The table 'Prelude_Heartbeat' is full.

Some MySQL distributions come with a default mysql Innodb setting that limits the maximum table expension. However, Prelude database table might get very big, especially for table storing alert AdditionalData like NIDS attack payload.

Edit your MySQL configuration file, and change the innodb_data_file_path settings from:

innodb_data_file_path = ibdata1:10M:autoextend:max:128M

(or similar) to:

innodb_data_file_path = ibdata1:10M:autoextend

To remove the table size limitation.

I have the error: "error verifying certificate: The peer did not send any certificate. TLS fatal alert from peer: Certificate is bad"

It looks like you ran the prelude-admin registration-server with wrong parameters. On the Prelude-manager side you need to run:

prelude-admin registration-server prelude-manager

Libprelude

How do I enable debugging output for Libprelude, or Prelude programs?

You can set the LIBPRELUDE_DEBUG environment variable to the wanted debug level (the higher the more verbose).

$ export LIBPRELUDE_DEBUG=10

Prelude-LML

I get an error concerning auth.log when starting prelude-LML?

This is due to some systems using authlog or secure for the same purpose. To remedy this issue just edit prelude-lml.conf to point to the correct auth log depending on your system.

I get an error "End from FAM server connection" after some time, and no more alert are sent?

This is due to FAM, the best way to get prelude-LML working correctly is by recompiling the prelude-lml without FAM (./configure --disable-fam). FAM just help getting files checked when there are modifications, without FAM, prelude-LML will check files modification every second.

Prelude-LML warn that it could not match prefix against log entry or that there is no appropriate format defined for log entry

This warning means that Prelude-LML was unable to find a matching format (defined in the Prelude-LML configuration file) for the input log.

The log entry will still be processed by the signature engine, but Prelude-LML won't have access to the following information:

  • The log entry timestamp (Bound to the DetectTime information of an IDMEF Alert).
  • The log entry hostname (Bound to the Target node information in an IDMEF Alert).
  • The log entry process (Bound to the Target process name in an IDMEF Alert).
  • The log entry pid (Bound to the Target process pid in an IDMEF Alert).

In order to fix this problem, you need to configure an appropriate format section in the configuration file that instruct Prelude-LML how to parse a given log format. Information concerning format configuration is available on the Prelude-LML page.

Prewikka

I get an error "Prelude Database schema version too old"

You must change the MySQL schema using a pre-made script :

>mysql -u prelude prelude -p < /usr/share/libpreludedb/classic/mysql-update-14-1.sql
syntaxe : mysql -u <login> <password> -p < /usr/share/libpreludedb/classic/mysql-update-14-1.sql

NOTE: Sometimes the path would be /usr/local/share/. . .

I have issues with Prelude and Apache configuration since I want Prewikka in a sub-directory

You are already using your web server for something else and you want to have an access using !http://www.mycompany.xx/prelude:

Alias /prelude/prewikka /usr/share/prewikka/htdocs/
[[ScriptAlias]] /prelude/ /usr/share/prewikka/cgi-bin/prewikka.cgi
<Directory "/usr/share/prewikka/htdocs/">
        [[AllowOverride]] None
        Options [[ExecCGI]]

        <IfModule mod_mime.c>
                [[AddHandler]] cgi-script .cgi
        </IfModule>

        Order allow,deny
        Allow from all
</Directory>

Abnormal Offline Agents and MySQL table 'Prelude_Analyzer' is full

If checking the MySQL log show you that:

[[MySQL]] Query error: The table 'Prelude_Analyzer' is full

Then you may need to alter a setting in my.cnf (maybe back it up first)

So find the line:

innodb_data_file_path = ibdata1:10M:autoextend:max:128M

and try changing it to read:
innodb_data_file_path = ibdata1:10M:autoextend

After a restart of MySQL, Prelude-Manager, Prelude-LML etc., hopefully this will bring your Prewikka back online.

What can I do if I forgot the Prewikka "admin" password?

With the MySQL console, you can change the MD5 password by resetting the Prewikka_User field in the prewikka table. Notice the use of MD5 in this sentence :

mysql -u <database username> -p prewikka
<password>

mysql> UPDATE Prewikka_User SET password = MD5('my_new_password') WHERE login = 'admin';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Sensors are running, but I see no events and agents in Prewikka?

Make sure that the Prelude-Manager db (database) plugin is enabled. Prelude-Manager should report the following upon start:

- Subscribing db[default] to active reporting plugins.

If you get an error when enabling the plugin, make sure Prelude-Manager was compiled with libpreludedb support.

Finally, if database reporting is enabled but you still can not get any information in Prewikka, try to run Prelude-Manager in the foreground with the --debug -l stderr command line argument, to check whether it is receiving sensors alerts and heartbeats.

Why can't I see alerts older than one hour in Prewikka. I know there are in the database.

Prewikka will show all alerts within the last hour by default. If you want to see all alerts from the very beginning you can choose "Unlimited" in the Step part of the bottom left panel. Beware it can take a long time loading all data.

Virtual Machines

I have a VMware Server running Linux with various Linux guests, and all the clocks are all over the place as far as keeping time?

This is an issue with guests utilizing 2.6 kernel versions.

Sometimes guests with 2.6 kernels have clock skew. Appending "clock=pit nosmp noapic nolapic" to the kernel line in grub.conf and rebooting can alleviate this issue. For more information: http://rextang.net/blogs/work/archive/2006/12/21/4516.aspx