Installing on Gentoo with packages¶
Description of USE Flags¶
- dev-libs/libprelude
- lua: Enable Lua scripting support
- perl: Add optional support/bindings for the Perl language
- python: Add optional support/bindings for the Python language
- ruby: Add support/bindings for the Ruby language
- dev-libs/libpreludedb
- mysql: Add mySQL Database support
- postgres: Add support for the postgresql database
- python: Add optional support/bindings for the Python language
- sqlite: Add support for sqlite - embedded sql database
- net-analyzer/prelude-lml
- icu: Enable ICU (Internationalization Components for Unicode) support, using dev-libs/icu
- ssl: Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
- net-analyzer/prelude-lml-rules
- No USE Flags
- net-analyzer/prelude-correlator
- No USE Flags
- app-admin/prelude-manager
- dbx: Enables Prelude Manager storing Prelude alerts into database through dev-libs/libpreludedb .
- geoip: Add geoip support for country and city lookup based on IPs
- tcpwrapper: Enables Prelude Manager using tcp wrapper. It requires sys-apps/tcp-wrappers .
- xml: Add support for XML files
- www-apps/prewikka
- adns: Add support for asynchronous DNS resolution
Installation¶
Prelude need a SQL database, this tutorial use MariaDB in example.
Add minimum USE Flags:- dev-libs/libprelude: python
- dev-libs/libpreludedb: mysql python
- app-admin/prelude-manager: dbx
Install all prelude packages:
localhost ~ # emerge prelude-manager prelude-lml prelude-lml-rules prelude-correlator prewikka
Note: if there is no prelude-{lml, manager} folder in /var/run, run the next command:
localhost ~ # systemd-tmpfiles --create
Install rsyslog or other syslog system that store logs into /var/log:
localhost ~ # emerge rsyslog
... and start the service:
localhost ~ # systemctl start rsyslog
Install the database:
localhost ~ # emerge mariadb localhost ~ # emerge --config dev-db/mariadb
Start the database :
localhost ~ # systemctl start mariadb
Create two databases, one for IDMEF alerts, one for the Web interface :
localhost ~ # mysql -u root Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 5.5.56-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE prelude; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE DATABASE prewikka; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec)
Initialize the database:
localhost ~ # mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Configure the database into web interface configuration:
localhost ~ # vim /etc/prewikka/prewikka.conf # Events DB [idmef_database] type: mysql host: localhost user: prelude pass: prelude name: prelude # Prewikka DB [database] type: mysql host: localhost user: prelude pass: prelude name: prewikka
Configure the database into prelude-manager configuration (for IDMEF alerts):
localhost ~ # vim /etc/prelude-manager/prelude-manager.conf [db] type = mysql host = localhost name = prelude user = prelude pass = prelude
Now, you have to initialize the communication between all prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short logs of standard initialization.
Register Prelude Manager¶
Registration:
localhost ~ # prelude-admin add "prelude-manager" --uid 0 --gid 0
Start the service:
localhost ~ # systemctl start prelude-manager
Check the service :
localhost ~ # systemctl status prelude-manager
● prelude-manager.service - Prelude bus communicator
Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled)
Active: active (running) since jeu. 2018-04-26 11:22:25 CEST; 3s ago
Docs: man:prelude-manager(1)
Main PID: 1630 (prelude-manager)
CGroup: /system.slice/prelude-manager.service
└─1630 /usr/sbin/prelude-manager
avril 26 11:22:25 rhel7.prelude systemd[1]: Started Prelude bus communicator.
avril 26 11:22:25 rhel7.prelude systemd[1]: Starting Prelude bus communicator...
Register Prelude Correlator¶
Registration, prelude-manager side:
localhost ~ # prelude-admin registration-server prelude-manager The "a751zs24" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:45068... Registration request for analyzerID="3525482479983286" permission="idmef:rw". Approve registration? [y/n]: y 127.0.0.1:45068 successfully registered.
Registration, prelude-correlator side:
localhost ~ # prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service:
localhost ~ # systemctl start prelude-correlator
Check the service:
localhost ~ # systemctl status prelude-correlator
● prelude-correlator.service - Correlator of events received by Prelude
Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled)
Active: active (running) since lun. 2018-04-30 01:18:32 CEST; 3s ago
Main PID: 13366 (prelude-correla)
CGroup: /system.slice/prelude-correlator.service
└─13366 /usr/bin/python3.4 /usr/sbin/prelude-correlator
avril 30 01:18:32 rhel7.prelude systemd[1]: Started Correlator of events received by Prelude.
avril 30 01:18:32 rhel7.prelude systemd[1]: Starting Correlator of events received by Prelude...
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [BusinessHourPlugin]: disabled on user request
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [FirewallPlugin]: disabled on user request
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) WARNING: Unable to load SpamhausDropPlugin: missing netaddr modu...ypi/netaddr
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.CIArmyPlugin (pid:13366) INFO: Loaded CIArmy data from a previous run (age=0.13 hours)
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.DshieldPlugin (pid:13366) INFO: Loaded DShield data from a previous run (age=0.13 hours)
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.main (pid:13366) INFO: 8 plugins have been loaded.
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: Connecting to 127.0.0.1:4690 prelude Manager server.
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: TLS authentication succeed with Prelude Manager.
Register Prelude LML¶
Registration, prelude-manager side:
localhost ~ # prelude-admin registration-server prelude-manager The "yv67yggx" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:45698... Registration request for analyzerID="1973745155986225" permission="idmef:w". Approve registration? [y/n]: y 127.0.0.1:45698 successfully registered.
Registration, prelude-lml side:
localhost ~ # prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service:
localhost ~ # systemctl start prelude-lml
Check the service:
localhost ~ # systemctl status prelude-lml
● prelude-lml.service - Log analyzer sensor with IDMEF output
Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; disabled; vendor preset: disabled)
Active: active (running) since lun. 2018-04-30 01:21:12 CEST; 1min 19s ago
Main PID: 13380 (prelude-lml)
CGroup: /system.slice/prelude-lml.service
└─13380 /usr/sbin/prelude-lml
Web interface¶
Start the web interface:
localhost ~ # prewikka-httpd -p 80
Tests¶
Generate some logs to test the alerts. For example, try to connect to ssh in localhost and failed the password.
localhost ~ # ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive).
localhost ~ # ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive).