Installing and configuring remote prelude-lml and snort sensors

 

 

Files included for the distribution (prelude_sensor_dist.tar.gz)

 

Debian packages:

initrd-tools_0.1.84.1_all.deb

libc6_2.3.6-16_i386.deb

libgcrypt11_1.2.2-3_i386.deb

libgnutls13_1.4.1-1_i386.deb

libgpg-error0_1.2-1_i386.deb

libopencdk8_0.5.8-1_i386.deb

libpcre-ocaml_5.10.1-4_i386.deb

libpcre.so.0.0.1

libprelude2_0.9.7.2-1_i386.deb

libtasn1-3_0.3.5-2_i386.deb

prelude-lml_0.9.4-1_i386.deb

tzdata_2006g-2_all.deb

 

prelude-adduser (binary)

README (text version of this html file)

 

Directory containing snort files:

Snort-2.4.5 (includes snort binary, snort.conf, snort rules)

 

0) create a directory

   /usr/share/prelude/sensor-dist

   and unpack prelude_sensor_dist.tar.gz

 

1) install libprelude2 (version 9.7.2)

 

dpkg –i libprelude2_0.9.7.2-1_i386.deb

 

[dependency] libc6 (>= 2.3.6-6) libc6_2.3.6-16_i386.deb

      [dependency] initrd-tools (>= 0.1.84.1) initrd-tools_0.1.84.1_all.deb

      [dependency] tzdata (2006g) tzdata_2006g-2_all.deb

 

[dependency] libgpg-error0 (>= 1.2)   libgpg-error0_1.2-1_i386.deb

 

[dependency] libgcrypt11 (>= 1.2.2)   libgcrypt11_1.2.2-3_i386.deb

 

[dependency] libgnutls13 (>= 1.3.5)   libgnutls13_1.4.1-1_i386.deb

      [dependency] libopencdk8 (>= 0.5.8) libopencdk8_0.5.8-1_i386.deb

      [dependency] libtasn1-3 (3.5) libtasn1-3_0.3.5-2_i386.deb

 

2) install snort (version 2.4.5)

- the binary ‘snort’ was built from source on debian using libprelude 9.7.2

 

[dependency] libpcre libpcre-ocaml_5.10.1-4_i386.deb

 

2) install prelude-lml (version 9.4.1)

 

dpkg –i prelude-lml_0.9.4-1_i386.deb

 

3) run adduser for prelude-lml

 

open terminal on manager host

prelude-adduser registration-server prelude-manager

 

note: make sure that <lml-sensor-name> and <snort_sensor-name>

are meaningful because these names will show up in prewikka

 

open terminal on sensor host

prelude-adduser register <lml-sensor-name> "idmef:w admin:r" <manager address>  --uid 0 --gid 0

 

perform the appropriate 'handshakes' (eg password exchange)

 

4) edit prelude-lml.conf

 

- add lines after

# server-addr = 127.0.0.1

 

[prelude]

server-addr=<manager address>

 

5) start prelude-lml

 

/etc/init.d/prelude-lml start

 

6) run adduser for snort (snort daemon has been built appropriately for debian)

 

open terminal on pkirack3 (where the manager is running)

prelude-adduser registration-server prelude-manager

 

open terminal on sensor host

prelude-adduser register <snort_sensor-name> "idmef:w admin:r" <manager address> --uid 0 --gid 0

 

perform the appropriate 'handshakes' (eg password exchange)

 

7) configure snort

 

this should be done by prelude-adduser, but may fail

so if it fails:

 

edit /etc/prelude/default/client.conf

edit line:

server-addr = <manager address>

 

edit /usr/share/prelude/sensor-dist/snort-2.4.5/etc/rules/snort.conf

edit line:

output alert_prelude: profile=<snort_sensor-name>

 

8) start snort (copy the binary snort to /usr/local/bin)

 

snort -D -c /usr/share/prelude/sensor-dist/snort-2.4.5/etc/rules/snort.conf  -i eth0

 

Finally, check prewikka on the prelude manager to make sure that

this prelude-lml and snort show up as agents and they are online.