Open Source SIM Installation with Prelude
I have been exploring multiple configurations using open source software to generate, store, and review security-relevant information. The solution I am working on is comprised of Log-based Intrusion Detection (LIDS), Host-based Intrusion Detection (HIDS), and Network-based Intrusion Detection (NIDS) combined with a Security Information Management (SIM) tool.
The best combination I have found so far is Prelude IDS + OSSEC + Snort to meet all of these objectives. I like the web interface of Prelude (Prewikka), although the open source version lacks a way to mark events as "handled" - more on that in a future post. OSSEC adds a lot of functionality including both LIDS and HIDS with both distributed and clientless capability. Both OSSEC and Snort report back to Prelude using native IDMEF.
Getting everything set up was a bit of an adventure, so I have documented the process below for my future use and in case anyone else gets any value from it.
# Start with CentOS 5.3 installed with LAMP
# Add required packages and libraries:
sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
sudo yum install ruby ruby-devel gnutls-devel lua lua-devel mysql-devel python-cheetah libpcap-devel pcre-devel
# Set up libprelude:
wget http://www.prelude-ids.com/download/releases/libprelude/libprelude-0.9.24.1.tar.gz
tar xzf libprelude-0.9.24.1.tar.gz
cd libprelude-0.9.24.1
./configure
make && make check
sudo make install
sudo /sbin/ldconfig /usr/local/lib
sudo vi /etc/prelude/default/client.conf
----------------------------------------------------------
[prelude]
server-addr = <<enter server ip address here>>
----------------------------------------------------------
sudo vi /usr/etc/prelude/default/global.conf
----------------------------------------------------------
node-name = <<enter host name here>>
[Node-Address]
address = <<enter node IP here>>
netmask = <<enter node netmask here>>
category = ipv4-addr
----------------------------------------------------------
# Set up libpreludedb:
wget http://www.prelude-ids.com/download/releases/libpreludedb/libpreludedb-0.9.15.3.tar.gz
cd libpreludedb-0.9.15.3
LDFLAGS="$LDFLAGS -L/usr/local/lib"
PATH="$PATH:/usr/local/bin"
./configure --with-postgresql=no
make && make check
sudo make install
sudo /sbin/ldconfig /usr/local/lib
mysql -u root -p
mysql> CREATE database prelude;
mysql> GRANT ALL PRIVILEGES ON prelude.* TO prelude@'localhost' IDENTIFIED BY '<<enter prelude dbuser password here>>';
mysql -u prelude prelude -p < /usr/local/share/libpreludedb/classic/mysql.sql
# Set up prelude-manager:
wget http://www.prelude-ids.com/download/releases/prelude-manager/prelude-manager-0.9.15.tar.gz
tar xzf prelude-manager-0.9.15.tar.gz
cd prelude-manager-0.9.15
LDFLAGS="$LDFLAGS -L/usr/local/lib"
PATH="$PATH:/usr/local/bin"
./configure
make && make check
sudo make install
sudo vi /usr/local/etc/prelude-manager/prelude-manager.conf
----------------------------------------------------------
listen = <<enter server IP address here>>
[db]
type = mysql
host = localhost
port = 3306
name = prelude
user = prelude
pass = <<enter prelude dbuser password here>>
----------------------------------------------------------
# Set up prelude-correlator:
wget http://www.prelude-ids.com/download/releases/prelude-correlator/prelude-correlator-0.9.0-beta8.tar.gz
tar xzf prelude-correlator-0.9.0-beta8
cd prelude-correlator-0.9.0-beta8
sudo python setup.py install
sudo /sbin/iptables -I RH-Firewall-1-INPUT 10 -p tcp -m multiport --dports 4690,5553 -m state --state NEW -j ACCEPT
sudo /sbin/service iptables save
sudo prelude-admin add "prelude-manager" --uid 0 --gid 0
sudo /usr/local/bin/prelude-manager -d
# Set up prewikka web interface:
wget http://www.prelude-ids.com/download/releases/prewikka/prewikka-0.9.17.1.tar.gz
sudo python setup.py install
sudo vi /etc/prewikka/prewikka.conf
----------------------------------------------------------
[idmef_database]
type: mysql
host: localhost
user: prelude
pass: <<enter prelude dbuser password here>>
name: prelude
[database]
type: mysql
host: localhost
user: prelude
pass: <<enter prewikka dbuser password here>>
name: prewikka
----------------------------------------------------------
mysql -u root -p
mysql> CREATE database prewikka;
mysql> GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@'localhost' IDENTIFIED BY '<<enter prewikka dbuser password here>>';
mysql -u prewikka prewikka -p < /usr/share/prewikka/database/mysql.sql
sudo vi /etc/httpd/conf/httpd.conf
----------------------------------------------------------
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin admin@domain.com
<Location />
SetHandler mod_python
PythonHandler prewikka.ModPythonHandler
PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf
</Location>
<Location /prewikka>
SetHandler None
</Location>
Alias /prewikka /usr/share/prewikka/htdocs
Alias /htdocs /usr/share/prewikka/htdocs
</VirtualHost>
----------------------------------------------------------
sudo /sbin/service httpd start
sudo /sbin/iptables -I RH-Firewall-1-INPUT 11 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
sudo /sbin/service iptables save
# Set up OSSEC LIDS/HIDS:
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
LDFLAGS="$LDFLAGS -L/usr/local/lib"
PATH="$PATH:/usr/local/bin"
cd src; make setprelude; cd ..
sudo ./install.sh
sudo vi /var/ossec/etc/ossec.conf
----------------------------------------------------------
<prelude_output>yes</prelude_output>
----------------------------------------------------------
sudo prelude-admin register OSSEC "idmef:w" 172.30.1.2 --uid 501 --gid 501
sudo /var/ossec/bin/ossec-control start
# Set up Snort NIDS:
wget http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz
tar xzf snort-2.8.5.1.tar.gz
cd snort-2.8.5.1
LDFLAGS="$LDFLAGS -L/usr/local/lib"
PATH="$PATH:/usr/local/bin"
./configure --enable-prelude
make
sudo make install
sudo vi /usr/local/etc/snort/snort.conf
----------------------------------------------------------
output alert_prelude: profile=snort
----------------------------------------------------------
sudo prelude-admin register snort "idmef:w admin:r" <ip address> --uid snort --gid snort
# additional steps here to configure snort plugins etc
sudo snort -D -c /etc/snort/snort.conf -i eth1
# Finished initial setup
Comments
2 comments postedHi,
Without knowing better, have you tried out OSSIM?
I'm thinking about using that as a frontend to snort and ossec.
But haven't started the project yet..
So perhaps it is too much...
--
Regards Falk
Falk,
Yes, in addition to Prelude I also looked at OSSIM and Sguil for the GUI. I personally found OSSIM too complex and more focused on visual appeal than usability. For example, in addition to being a SIEM, OSSIM includes a ticketing system, network performance monitoring, system inventory, vulnerability scanner, and more. All of them together create pretty executive dashboards and graphs, but I'd didn't find it very useful to manage tactical security event information.
Squil would be a good alternative but is more NIDS focused and hasn't been updated in over a year. Although I don't mind that it's written in TCL directly, it isn't a language that I'm very familiar with, which was also a downside for me.
Further, Prelude's use of IDMEF also helps it integrate well with OSSEC and Snort. Although IDMEF may be a failed standard, it provides good integration by providing a standard format for the data.
I would encourage you to try both Prelude and OSSIM in a lab to decide for yourself. Personally, I found Prelude much more usable for my needs, although it lacks the bells and whistles that OSSIM has.
- Christopher