( Pollux's blog )

To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:

• install a database (PostgreSQL or MySQL)
• install the Prelude manager, all needed packages will be installed automatically

apt-get install prelude-manager

• during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.

This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

To add agents (sensors), you have to install the package and register a new profile for each sensor. For ex:

apt-get install prelude-lml
apt-get install snort

Create a new profile:

prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
...
prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
...

Follow the instructions for the registration.

Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):

server-addr = 192.168.1.1

For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude Etch installation guide and the Prelude Handbook.

We have given a presentation with Sébastien, for OSSIR.

Subject is: Visualisation appliquée à la détection d'intrusion (which can roughly be translated to "visualization applied to intrusion detection"). The slides of the conference can be found on the list of presentation materials.

The conference was on our work since one year on intrusion detection, with the proposed implementation of a correlator, some explanations on classifications and current limitations, and how some graphs can help, especially the parallel axes representation.

Ulogd (and also ulogd2) is a powerful and flexible logging system for Netfilter/Iptables, based on a plugin system. It allows, for example, to log packets in a SQL database, and have some interface to analyze it (see Nulog2) :

Architecture

Ulogd2 combines plugins to create a stack, where each plugin is chained to another. There are three types of plugins:

• Source
• Filter
• Output

A stack must have only one source, and one output (yet it can have several filters). It is possible to define several stacks in the configuration.

Each plugin has a type (for ex, PGSQL), and must be instanciated (using a name chosen by the user). Each instance is a particular version of the plugin, defining parameters. This way, we will be able to output data in several formats using different stacks.

For ex, the following stack :

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,print1:PRINTPKT,pgsql1:PGSQL

defines a stack with the following properties:

• input plugin is NFLOG, this means we'll use the -j NFLOG target of iptables as source
• filters are BASE, IFINDEX, and PRINTPKT (we'll cover what they do later)
• output plugin is of type PGSQL, so data will be logged to a PostgreSQL database.

What's new in ulogd2 ?

Ulogd2 brings a new SQL schema (see Linux Weekly News) where data are split in several tables (instead of one monolithic table as for ulogd), allowing to add additional data easily without modifying the schema (just add a new table and use the packet id as foreign key).

To hide the complexity of the new SQL schema (to select all data for a packet, one now has to use a JOIN in the request. The insertion must be done in several tables instead of one), a system of views (for select) and stored procedures (for insertions) has been written, so that ulogd2 does not have to know the SQL schema : if the schema is changed, only the procedures must be changed, and not ulogd2.

Next time

What ? That's all ? Yes ! That was a (short) introduction to what ulogd is. Next time, we'll cover the installation and the use of ulogd2.