Open Source SIM Installation with Prelude

I have been exploring multiple configurations using open source software to generate, store, and review security-relevant information. The solution I am working on is comprised of Log-based Intrusion Detection (LIDS), Host-based Intrusion Detection (HIDS), and Network-based Intrusion Detection (NIDS) combined with a Security Information Management (SIM) tool.

The best combination I have found so far is Prelude IDS + OSSEC + Snort to meet all of these objectives. I like the web interface of Prelude (Prewikka), although the open source version lacks a way to mark events as "handled" - more on that in a future post. OSSEC adds a lot of functionality including both LIDS and HIDS with both distributed and clientless capability. Both OSSEC and Snort report back to Prelude using native IDMEF.

Getting everything set up was a bit of an adventure, so I have documented the process below for my future use and in case anyone else gets any value from it.

# Start with CentOS 5.3 installed with LAMP

# Add required packages and libraries:

sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

sudo yum install ruby ruby-devel gnutls-devel lua lua-devel mysql-devel python-cheetah libpcap-devel pcre-devel

# Set up libprelude:

wget http://www.prelude-ids.com/download/releases/libprelude/libprelude-0.9.24.1.tar.gz

tar xzf libprelude-0.9.24.1.tar.gz

cd libprelude-0.9.24.1

./configure

make && make check

sudo make install

sudo /sbin/ldconfig /usr/local/lib

sudo vi /etc/prelude/default/client.conf

----------------------------------------------------------

[prelude]

server-addr = <<enter server ip address here>>

----------------------------------------------------------

sudo vi /usr/etc/prelude/default/global.conf

----------------------------------------------------------

node-name = <<enter host name here>>

[Node-Address]

address = <<enter node IP here>>

netmask = <<enter node netmask here>>

category = ipv4-addr

----------------------------------------------------------

# Set up libpreludedb:

wget http://www.prelude-ids.com/download/releases/libpreludedb/libpreludedb-0.9.15.3.tar.gz

cd libpreludedb-0.9.15.3

LDFLAGS="$LDFLAGS -L/usr/local/lib"

PATH="$PATH:/usr/local/bin"

./configure --with-postgresql=no

make && make check

sudo make install

sudo /sbin/ldconfig /usr/local/lib

mysql -u root -p

mysql> CREATE database prelude;

mysql> GRANT ALL PRIVILEGES ON prelude.* TO prelude@'localhost' IDENTIFIED BY '<<enter prelude dbuser password here>>';

mysql -u prelude prelude -p < /usr/local/share/libpreludedb/classic/mysql.sql

# Set up prelude-manager:

wget http://www.prelude-ids.com/download/releases/prelude-manager/prelude-manager-0.9.15.tar.gz

tar xzf prelude-manager-0.9.15.tar.gz

cd prelude-manager-0.9.15

LDFLAGS="$LDFLAGS -L/usr/local/lib"

PATH="$PATH:/usr/local/bin"

./configure

make && make check

sudo make install

sudo vi /usr/local/etc/prelude-manager/prelude-manager.conf

----------------------------------------------------------

listen = <<enter server IP address here>>

[db]

type = mysql

host = localhost

port = 3306

name = prelude

user = prelude

pass = <<enter prelude dbuser password here>>

----------------------------------------------------------

# Set up prelude-correlator:

wget http://www.prelude-ids.com/download/releases/prelude-correlator/prelude-correlator-0.9.0-beta8.tar.gz

tar xzf prelude-correlator-0.9.0-beta8

cd prelude-correlator-0.9.0-beta8

sudo python setup.py install

sudo /sbin/iptables -I RH-Firewall-1-INPUT 10 -p tcp -m multiport --dports 4690,5553 -m state --state NEW -j ACCEPT

sudo /sbin/service iptables save

sudo prelude-admin add "prelude-manager" --uid 0 --gid 0

sudo /usr/local/bin/prelude-manager -d

# Set up prewikka web interface:

wget http://www.prelude-ids.com/download/releases/prewikka/prewikka-0.9.17.1.tar.gz

sudo python setup.py install

sudo vi /etc/prewikka/prewikka.conf

----------------------------------------------------------

[idmef_database]

type: mysql

host: localhost

user: prelude

pass: <<enter prelude dbuser password here>>

name: prelude

[database]

type: mysql

host: localhost

user: prelude

pass: <<enter prewikka dbuser password here>>

name: prewikka

----------------------------------------------------------

mysql -u root -p

mysql> CREATE database prewikka;

mysql> GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@'localhost' IDENTIFIED BY '<<enter prewikka dbuser password here>>';

mysql -u prewikka prewikka -p < /usr/share/prewikka/database/mysql.sql

sudo vi /etc/httpd/conf/httpd.conf

----------------------------------------------------------

NameVirtualHost *:80

<VirtualHost *:80>

   ServerAdmin admin@domain.com

   <Location />

   SetHandler mod_python

   PythonHandler prewikka.ModPythonHandler

   PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf

   </Location>

   <Location /prewikka>

   SetHandler None

   </Location>

   Alias /prewikka /usr/share/prewikka/htdocs

   Alias /htdocs /usr/share/prewikka/htdocs

</VirtualHost>

----------------------------------------------------------

sudo /sbin/service httpd start

sudo /sbin/iptables -I RH-Firewall-1-INPUT 11 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

sudo /sbin/service iptables save

# Set up OSSEC LIDS/HIDS:

wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz

cd ossec-hids-2.3

LDFLAGS="$LDFLAGS -L/usr/local/lib"

PATH="$PATH:/usr/local/bin"

cd src; make setprelude; cd ..

sudo ./install.sh

sudo vi /var/ossec/etc/ossec.conf

----------------------------------------------------------

<prelude_output>yes</prelude_output>

----------------------------------------------------------

sudo prelude-admin register OSSEC "idmef:w" 172.30.1.2 --uid 501 --gid 501

sudo /var/ossec/bin/ossec-control start

# Set up Snort NIDS:

wget http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz

tar xzf snort-2.8.5.1.tar.gz

cd snort-2.8.5.1

LDFLAGS="$LDFLAGS -L/usr/local/lib"

PATH="$PATH:/usr/local/bin"

./configure --enable-prelude

make

sudo make install

sudo vi /usr/local/etc/snort/snort.conf

----------------------------------------------------------

output alert_prelude: profile=snort

----------------------------------------------------------

sudo prelude-admin register snort "idmef:w admin:r" <ip address> --uid snort --gid snort

# additional steps here to configure snort plugins etc

sudo snort -D -c /etc/snort/snort.conf -i eth1

# Finished initial setup

Comments

Wed, 2009-12-23 14:00 — Anonymous

Have you tried out OSSIM?

Hi,

Without knowing better, have you tried out OSSIM?
I'm thinking about using that as a frontend to snort and ossec.

But haven't started the project yet..
So perhaps it is too much...

--
Regards Falk

Thu, 2009-12-24 13:15 — Christopher

Re: Have you tried out OSSIM?

Falk,

Yes, in addition to Prelude I also looked at OSSIM and Sguil for the GUI. I personally found OSSIM too complex and more focused on visual appeal than usability. For example, in addition to being a SIEM, OSSIM includes a ticketing system, network performance monitoring, system inventory, vulnerability scanner, and more. All of them together create pretty executive dashboards and graphs, but I'd didn't find it very useful to manage tactical security event information.

Squil would be a good alternative but is more NIDS focused and hasn't been updated in over a year. Although I don't mind that it's written in TCL directly, it isn't a language that I'm very familiar with, which was also a downside for me.

Further, Prelude's use of IDMEF also helps it integrate well with OSSEC and Snort. Although IDMEF may be a failed standard, it provides good integration by providing a standard format for the data.

I would encourage you to try both Prelude and OSSIM in a lab to decide for yourself. Personally, I found Prelude much more usable for my needs, although it lacks the bells and whistles that OSSIM has.

- Christopher