Creating a live cd for open source SIEM Prelude and Suricata
I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.
First, a few points on applications used:
- Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
- Suricata IDS, which is a very promising project
- Snort IDS, with the free signatures
- OpenVAS to be able to generate alerts
- Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
- Standard useful tools: nmap, scapy, wireshark, p0f, etc.
This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.
The build tools are:
- Debian live (package name is
live-helper
, I’m running sid/unstable here) - About 2-3 GB of free space (including cache, chroot and image).
- A local Debian repository for custom packages (I use reprepro)
- (optional) a chroot or pbuilder for rebuilding packages (I use cowbuilder).
Building the CD
You need to be root for that. We’ll assume you have created a container directory (for ex. LIVE_SIEM) and extracted the sources in that directory.
Configuration is done in the config
subdir.Added packages are just
named in packages lists (files in the
config/chroot_local-packageslists/
directory). D-L is nice, since it
respects dependencies so you add the name of the package and it should
be enough.
Default window manager is LXDE, to have a good compromise between size,
speed and features. You can change that in file config/chroot
.
Default keyboard is qwerty
Just run:
lh clean
lh build
and wait for a few minutes. The first command cleans up the chroot and binary directories (keeping the cache), and the second will rebuild completely the cd (download required packages, install them in chroot, run hooks, create compressed image etc.). Clearly, this is not the fastest way of making changes and quickly rebuilding the ISO, and it can be quite boring if you have to test small changes .. Using individual helpers (See this page) may help.
After that, you should have a file called binary.iso
in the directory.
Download
I’ve uploaded a very preliminary version of the iso here: http://live.nufw.org/dl/siem-live-20100205.iso
Edit
Project page: https://www.wzdftpd.net/redmine/projects/siem-live
All updates and changes will be added on the project page, so check it for news (and new versions).
Changes: add GLPI, OCS Inventory, Prelude Notify and a basic homepage
This iso has:
- A qwerty keyboard
- Prelude + syslog + snort configured and installed, started on boot
- OpenVAS (server and client) installed but not started (due to the number of plugins, server can take several minutes to start ..)
- Suricata 0.8 installed and basically configured to use all snort signatures. You have to start it manually, for ex.
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
and look in /var/log/suricata/*.log
for alerts
- other tools like Scapy (hint: use ipython to use it in interactive mode), OpenSCAP libraries, etc.
Test
I don’t like to reboot, so to test I use VirtualBox or qemu:
qemu -net tap -net nic -boot d -cdrom {build-root}/binary.iso -m 256
During the boot sequence, the live CD will automatically configure applications:
- create databases
- setup a default working configuration for most applications
- create and register Prelude profiles for all applications supporting it
- start X, and open a browser on the local Prewikka (default login is admin/admin)
What to do after boot ?
The live cd is running a syslog server, you can configure some servers / equipments to send logs and they will automatically be analyzed by Prelude.
You can connect to the http server to see the Prewikka interface (default login/pass is admin/admin).
To change the keyboard layout at runtime, use setxkbmap kb
, where kb
is the keyboard layout to use (for ex fr or de).
Next step ?
I’m waiting for ideas / contributors / whatever :) I’ll update suricata with a recent version as soon as it will have support for Prelude, and other tools. Just reply to this post (or contact me) if you have any suggestion.
Help would be appreciated to add visualization tools etc.
Edit
Git repository is up !
- Web interface http://www.wzdftpd.net/cgi-bin/gitweb.cgi?p=siem-live.git;a=summary
- Source:
git clone http://git.wzdftpd.net/siem-live.git/
- Project page: https://www.wzdftpd.net/redmine/projects/siem-live