12.08.07
Ubuntu Gutsy with Prelude, Prelude-manager, Prelude-lml, Prewikka and Snort.
It has been a while since I have played with IDS, but I have always been interested in linux and security, so beside writing a logcleaner (for proof of concept to my self, that it is funky hard to see if anyone messes with your logfiles, even utmp and wtmp ) this week, I also wanted to test the Prelude-snort installation in Gutsy. All the installation is done on one server.
It started with a friend, saying that you never can be 100% sure that your system is not cracked… To be honest, paranoid as one should be, you should always consider your system hacked! And that what ever you do - you cant find me 
I 0wn you!
Back to business.. I believe this should do it:
aptitude install snort libprelude2 prelude-manager python-preludedb libpreludedb-dev prelude-manager libprelude-perl libpreludedb-perl prelude-lml munin munin-node mysql-server prewikka
(I feel handy caped without munin, so for me its a must)
The installation of prelude-manager will ask you for database info. This info you will have to add to the prewikka config: [idmef_database]. The installation of prewikka will ask you for database info to, so its pretty much straight forward. In the snort config you need to add something like: output alert_prelude: profile=snort
Then you need to add the sensors to the prelude-manager. First we add prelude-lml:
Open two consoles, and in console one do:
# prelude-adduser registration-server prelude-manager
Then in console two do:
# prelude-adduser register prelude-lml "idmef:w admin:r" localhost
(then follow the instructions given…)
And then for snort in console one:
# prelude-adduser registration-server prelude-manager
And for console two:
# prelude-adduser register snort "idmef:w" 127.0.0.1 --uid 0 --gid 0
(I used uid and gid for the snort user, which depends on your installation.)
I started # prewikka-httpd &
And then I browsed http://my-gutsy:8000/. Default user/passwd is admin.
Configure prelude-lml (look into the config file..) to include /var/log/auth.log
Then ssh to your-gutsy-installation and use a wrong passwd. It should show up in prewikka alerts.
Port scan your-gutsy-installation, and hopefully it shows up in prewikka alerts.
The next step is to read more about prelude, and I recommend : https://trac.prelude-ids.org/wiki/PreludeHandbook
The handbook is a bit newer than the gutsy versions I believe. prelude-admin (in the docs) is prelude-adduser in gutsy.
Then you should read about snort: http://www.snort.org/.
After that, you can add lots of other cool sensors and get realy paranoid!
Do you see me now ? Or are your servers still cracked
