Creating a live cd for open source SIEM Prelude and Suricata

I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.

"Prewikka"

First, a few points on applications used:

Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
Suricata IDS, which is a very promising project
Snort IDS, with the free signatures
OpenVAS to be able to generate alerts
Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
Standard useful tools: nmap, scapy, wireshark, p0f, etc.

This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.

The build tools are:

Debian live (package name is live-helper, I’m running sid/unstable here)
About 2-3 GB of free space (including cache, chroot and image).
A local Debian repository for custom packages (I use reprepro)
(optional) a chroot or pbuilder for rebuilding packages (I use cowbuilder).

Building the CD

You need to be root for that. We’ll assume you have created a container directory (for ex. LIVE_SIEM) and extracted the sources in that directory.

Configuration is done in the config subdir.Added packages are just named in packages lists (files in the config/chroot_local-packageslists/ directory). D-L is nice, since it respects dependencies so you add the name of the package and it should be enough.

Default window manager is LXDE, to have a good compromise between size, speed and features. You can change that in file config/chroot.

Default keyboard is qwerty

Just run:

lh clean
lh build

and wait for a few minutes. The first command cleans up the chroot and binary directories (keeping the cache), and the second will rebuild completely the cd (download required packages, install them in chroot, run hooks, create compressed image etc.). Clearly, this is not the fastest way of making changes and quickly rebuilding the ISO, and it can be quite boring if you have to test small changes .. Using individual helpers (See this page) may help.

After that, you should have a file called binary.iso in the directory.

Download

I’ve uploaded a very preliminary version of the iso here: http://live.nufw.org/dl/siem-live-20100205.iso

Edit

Project page: https://www.wzdftpd.net/redmine/projects/siem-live

All updates and changes will be added on the project page, so check it for news (and new versions).

Changes: add GLPI, OCS Inventory, Prelude Notify and a basic homepage

This iso has:

A qwerty keyboard
Prelude + syslog + snort configured and installed, started on boot
OpenVAS (server and client) installed but not started (due to the number of plugins, server can take several minutes to start ..)
Suricata 0.8 installed and basically configured to use all snort signatures. You have to start it manually, for ex.

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

and look in /var/log/suricata/*.log for alerts

other tools like Scapy (hint: use ipython to use it in interactive mode), OpenSCAP libraries, etc.

Test

I don’t like to reboot, so to test I use VirtualBox or qemu:

qemu -net tap -net nic -boot d -cdrom {build-root}/binary.iso -m 256

During the boot sequence, the live CD will automatically configure applications:

create databases
setup a default working configuration for most applications
create and register Prelude profiles for all applications supporting it
start X, and open a browser on the local Prewikka (default login is admin/admin)

SIEM

Prewikka

What to do after boot ?

The live cd is running a syslog server, you can configure some servers / equipments to send logs and they will automatically be analyzed by Prelude.

You can connect to the http server to see the Prewikka interface (default login/pass is admin/admin).

To change the keyboard layout at runtime, use setxkbmap kb, where kb is the keyboard layout to use (for ex fr or de).

Next step ?

I’m waiting for ideas / contributors / whatever :) I’ll update suricata with a recent version as soon as it will have support for Prelude, and other tools. Just reply to this post (or contact me) if you have any suggestion.

Help would be appreciated to add visualization tools etc.

Edit

Git repository is up !

Web interface http://www.wzdftpd.net/cgi-bin/gitweb.cgi?p=siem-live.git;a=summary
Source: git clone http://git.wzdftpd.net/siem-live.git/
Project page: https://www.wzdftpd.net/redmine/projects/siem-live

Other articles

LinkedIn group for Prelude

Date Mon 01 June 2009 Tags Work Prelude SIEM

I’ve just created a LinkedIn group for Prelude IDS.

All Prelude users are welcome to join the Prelude IDS group to stay in touch with other Prelude users, use the forums, get news etc.

read more

Prelude Correlator in Debian

The Prelude Correlator is now packaged in Debian.

From the description of the package:

Prelude is a general-purpose hybrid intrusion detection system.
.
This package provides the Prelude Correlator, which is a powerful
correlation engine using Lua to write correlation rules.
.
The features currently include:
 * Rapid identification of important security events, enabling the analyst to
   assign task priorities
 * Alert correlation originally from heterogeneous sensors deployed on the
   whole infrastructure
 * Real-time analysis of events received by the Prelude Manager

You can contribute ! If you use the correlation engine, please share your correlation rules.

Related links:

read more

Prelude quick install
Date Thu 13 March 2008 Tags Security SIEM Prelude Debian

To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:
- install a database (PostgreSQL or MySQL)
- install the Prelude manager, all needed packages will be installed automatically
```
apt-get install prelude-manager
```
- during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.
This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

To add agents (sensors), you have to install the package and register a new profile for each sensor.For ex:
```
apt-get install prelude-lml
apt-get install snort
```
Create a new profile:
```
prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
...
prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
...
```
Follow the instructions for the registration.

Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):
```
server-addr = 192.168.1.1
```
For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude …
read more

Page 1 / 1