{"id":8,"date":"2008-01-27T13:50:20","date_gmt":"2008-01-27T12:50:20","guid":{"rendered":"http:\/\/blog.guiguiabloc.fr\/2008\/01\/27\/installer-et-configurer-prelude\/"},"modified":"2008-01-27T14:53:25","modified_gmt":"2008-01-27T13:53:25","slug":"installer-et-configurer-prelude","status":"publish","type":"post","link":"http:\/\/blog.guiguiabloc.fr\/index.php\/2008\/01\/27\/installer-et-configurer-prelude\/","title":{"rendered":"Installer et configurer Pr\u00e9lude"},"content":{"rendered":"<p><strong>Prelude<\/strong>, ou Prelude-IDS, est un <a href=\"http:\/\/fr.wikipedia.org\/wiki\/Syst%C3%A8me_de_d%C3%A9tection_d%27intrusion\" title=\"Syst\u00e8me de d\u00e9tection d'intrusion\">syst\u00e8me de d\u00e9tection d&rsquo;intrusion<\/a> (IDS) hybride compos\u00e9 de types de d\u00e9tecteurs h\u00e9t\u00e9rog\u00e8nes :<\/p>\n<ul>\n<li>un NIDS : NetWork Intrusion Detection System ;<\/li>\n<li>un HIDS : Host based Intrusion Detection System<\/li>\n<li>un LML : Log Monitoring Lackey.<\/li>\n<\/ul>\n<p>Son installation n&rsquo;\u00e9tant pas totalement ais\u00e9e et pour aider mon ami \u00ab\u00a0Argos\u00a0\u00bb qui peine dessus :-p , voici une petite check-list pour vous aider.<br \/>\n<strong>Principe de fonctionnement<\/strong><\/p>\n<p>Prelude est d\u00e9clin\u00e9 en plusieurs modules:<\/p>\n<p>* libprelude : le module g\u00e9n\u00e9ral, obligatoire<br \/>\n* libpreludedb : pour l&rsquo;interconnexion avec une base de donn\u00e9es<br \/>\n* prelude-manager : le serveur qui centralise les informations<br \/>\n* prelude-lml : module d&rsquo;analyse des logs<br \/>\n* prelude-pflogger: module d&rsquo;analyse des logs pf (*BSD)<br \/>\n* prewikka : le front-end prelude<\/p>\n<p>Depuis la version 0.9, Prelude n&rsquo;inclue plus d&rsquo;IDS.<\/p>\n<p>T\u00e9l\u00e9charger sur <a href=\"http:\/\/www.prelude-ids.org\/\" title=\"Prelude\" target=\"_blank\">http:\/\/www.prelude-ids.org\/<\/a> :<\/p>\n<p>libprelude-0.9.14.tar.gz    prelude-lml-0.9.10.tar.gz     prelude-pflogger-0.9.0-rc2.tar.gz<br \/>\nlibpreludedb-0.9.12.tar.gz  prelude-manager-0.9.8.tar.gz  prewikka-0.9.11.4.tar.gz<\/p>\n<p>NB: Bien \u00e9videmment, changer les num\u00e9ros des version par les derni\u00e8res disponibles \ud83d\ude42<\/p>\n<p>Les IDS :<\/p>\n<p>http:\/\/la-samhna.de\/samhain\/samhain-current.tar.gz<\/p>\n<p>http:\/\/www.snort.org\/dl\/current\/snort-2.7.0.tar.gz (non d\u00e9taill\u00e9 aujourd&rsquo;hui, j&rsquo;expliquerais plus en d\u00e9tails le fonctionnement de Snort dans un autre billet)<\/p>\n<p>Packages pr\u00e9-requis (exemple pour Debian, a adapter \u00e0 votre distribution) :<\/p>\n<blockquote><p>apt-get install libpcap-dev flex byacc gtk-doc-tools libssl-dev mysql-server libmysqlclient10-dev<br \/>\nlibxml2-dev libpcre3-dev libfam-dev gnutls-bin libgcrypt11-dev libgnutls11-dev libgpg-error-dev<br \/>\nlibopencdk8-dev libtasn1-2-dev libxmlsec1 libxmlsec1-gnutls<\/p><\/blockquote>\n<p>Attention version de libgnutls-dev en 1.0.7 minimum<\/p>\n<p>Egalement python et python-dev<\/p>\n<p><strong>Installation de libprelude<\/strong><\/p>\n<blockquote><p>libprelude-0.9.14# .\/configure &#8211;enable-gtk-doc<\/p>\n<p>Dumping configuration<br \/>\nGenerate documentation : yes<br \/>\nLibtool dynamic loader : Convenience<br \/>\nPerl binding           : yes<br \/>\nPython binding         : yes<\/p>\n<p>make make install<\/p><\/blockquote>\n<p>Ou sur Debian (Testing)<\/p>\n<blockquote><p>apt-get install libprelude2 libprelude-dev<\/p><\/blockquote>\n<p><strong>Installation de preludedb<\/strong><\/p>\n<p>libpreludedb-0.9.12# .\/configure<\/p>\n<p>make et make install<\/p>\n<p>Editer \/etc\/ld.so\/conf et ajouter \/usr\/local\/lib<br \/>\nexecuter : ldconfig<\/p>\n<p><strong>Mysql<\/strong><\/p>\n<p>mysql&gt; create database prelude ;<br \/>\nQuery OK, 1 row affected (0.06 sec)<br \/>\nmysql&gt; GRANT ALL PRIVILEGES ON prelude.* TO prelude@&rsquo;localhost&rsquo; IDENTIFIED BY &lsquo;prelude&rsquo;;<br \/>\nQuery OK, 0 rows affected (0.05 sec)<\/p>\n<p>$ mysql -u prelude prelude -p &lt; \/usr\/local\/share\/libpreludedb\/classic\/mysql.sql<br \/>\nEnter password:<\/p>\n<p><strong>Installation de Prelude Manager<\/strong><\/p>\n<p>prelude-manager-0.9.8# .\/configure<\/p>\n<p>make et make install<\/p>\n<p>Editer \/usr\/local\/etc\/prelude-manager\/prelude-manager.conf<\/p>\n<p>prelude-adduser add prelude-manager &#8211;uid 0 &#8211;gid 0<\/p>\n<p><strong>Installation de Prelude-lml<\/strong><\/p>\n<p>Sous Debian (Testing)<\/p>\n<p>apt-get install prelude-lml<\/p>\n<p>Enregistrer l&rsquo;IDS dans le Prelude-manager<\/p>\n<p>prelude-adduser register prelude-lml \u00ab\u00a0idmef:w admin:r\u00a0\u00bb 127.0.0.1 &#8211;uid 1000 &#8211;gid 1000<\/p>\n<p>Dans un autre terminal (aka nouvelle session ssh si \u00e0 distance), lancer le service Prelude-manager :<\/p>\n<p>prelude-adduser registration-server prelude-manager<\/p>\n<p>R\u00e9pondre aux questions (il s&rsquo;agit d&rsquo;un \u00e9change de cl\u00e9s TLS pour que le plugin s&rsquo;authentifie sur le Prelude-Manager)<\/p>\n<p>Editer le fichier \/etc\/prelude-lml\/prelude-lml.conf<\/p>\n<p>file = \/var\/log\/messages<br \/>\nfile = \/var\/log\/syslog<br \/>\nfile = \/var\/log\/auth.log<\/p>\n<p>et<\/p>\n<p>[Pcre]<br \/>\nruleset=\/etc\/prelude-lml\/ruleset\/pcre.rules<\/p>\n<p>Dans le r\u00e9pertoire ruleset, \u00e9diter le fichier pcre.rules et commenter les champs de d\u00e9tection inutiles.<\/p>\n<p><strong>Installation de Samhain<\/strong><\/p>\n<p>$ .\/configure \u00a0\u00bb&rsquo;&#8211;with-prelude\u00a0\u00bb&rsquo;<br \/>\n$ make<br \/>\n# make install<br \/>\n# make install-boot<\/p>\n<p>Editer \/etc\/samhainrc :<\/p>\n<p>[Log]<br \/>\nPreludeSeverity=crit<br \/>\nPreludeClass=EVENT<br \/>\n[Misc]<br \/>\nPreludeProfile=samhain<\/p>\n<p>Enregistrer l&rsquo;IDS dans prelude :<\/p>\n<p>prelude-adduser register samhain \u00ab\u00a0idmef:w\u00a0\u00bb 127.0.0.1 &#8211;uid 1000 &#8211;gid 1000<\/p>\n<p>Dans un autre terminal, lancer le service serveur<\/p>\n<p>prelude-adduser registration-server prelude-manager<\/p>\n<p>Noter le one-shot password et r\u00e9pondre aux questions<\/p>\n<p>Enter the one-shot password provided by the \u00ab\u00a0prelude-adduser\u00a0\u00bb program:<br \/>\nenter registration one-shot password:<br \/>\nconfirm registration one-shot password:<br \/>\nconnecting to registration server (127.0.0.1:5553)&#8230;<br \/>\nAnonymous authentication to registration-server successful.<br \/>\nSending certificate request.<br \/>\nReceiving signed certificate.<br \/>\nReceiving CA certificate.<br \/>\nsamhain registration to 127.0.0.1 successful.<\/p>\n<p>Initialiser la base<\/p>\n<p>samhain -t init (ou samhain -t update pour la mise \u00e0 jour)<\/p>\n<p>Puis lancer le service<\/p>\n<p>samhain -t check<\/p>\n<p><strong>Installation de Prewikka<\/strong><\/p>\n<p>Pr\u00e9requis : Les templates Cheetah sur http:\/\/cheetahtemplate.org\/<\/p>\n<p>Cheetah-2.0rc8#python setup.py install<\/p>\n<p>Installation de Prewikka<\/p>\n<p>prewikka-0.9.11.4#python setup.py install<\/p>\n<p>Cr\u00e9ation de la base Mysql<\/p>\n<p>mysql&gt; CREATE database prewikka;<br \/>\nQuery OK, 1 row affected (0.05 sec)<\/p>\n<p>mysql&gt; GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@&rsquo;localhost&rsquo; IDENTIFIED BY &lsquo;prewikka&rsquo;;<br \/>\nQuery OK, 0 rows affected (0.03 sec)<\/p>\n<p>$ mysql -u prewikka prewikka -p &lt; \/usr\/share\/prewikka\/database\/mysql.sql<br \/>\nEnter password:<\/p>\n<p>Editer le fichier \/etc\/prewikka\/prewikka.conf<\/p>\n<p>Renseigner les noms et password des bases mysql<\/p>\n<p>Cr\u00e9\u00e9r les Vhost Apache :<\/p>\n<p>&lt;VirtualHost *:80&gt;<br \/>\nServerName my.server.org<br \/>\nSetenv PREWIKKA_CONFIG \u00ab\u00a0\/etc\/prewikka\/prewikka.conf\u00a0\u00bb<br \/>\n&lt;Location \u00ab\u00a0\/\u00a0\u00bb&gt;<br \/>\nAllowOverride None<br \/>\nOptions ExecCGI<br \/>\n&lt;IfModule mod_mime.c&gt;<br \/>\nAddHandler cgi-script .cgi<br \/>\n&lt;\/IfModule&gt;<br \/>\nOrder allow,deny<br \/>\nAllow from all<br \/>\n&lt;\/Location&gt;<br \/>\nAlias \/prewikka\/ \/usr\/share\/prewikka\/htdocs\/<br \/>\nScriptAlias \/ \/usr\/share\/prewikka\/cgi-bin\/prewikka.cgi<br \/>\n&lt;\/VirtualHost&gt;<\/p>\n<p>En cas de probl\u00e8mes python, recompiler depuis les sources :<\/p>\n<p>sources\/libprelude-0.9.14\/bindings\/python# python setup.py install<\/p>\n<p>Fichier de conf des clients :<\/p>\n<p>\/etc\/prelude\/default<\/p>\n<p>Dans global.conf<\/p>\n<p>NodeName = toto.machine.et<\/p>\n<p>Dans client.conf<\/p>\n<p>server_address = ip du prelude manager<\/p>\n<p>Voila un petit aide m\u00e9moire qui ne se veut nullement un Tutoriel d&rsquo;installation, je ne peux que vous inviter \u00e0 lire le \u00ab\u00a0<a href=\"https:\/\/trac.prelude-ids.org\/wiki\/PreludeHandbook\" title=\"Handbook\" target=\"_blank\">Handbook<\/a>\u00a0\u00bb sur le site de Pr\u00e9lude qui contient toutes les informations n\u00e9cessaires pour installer et configurer votre syst\u00e8me.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prelude, ou Prelude-IDS, est un syst\u00e8me de d\u00e9tection d&rsquo;intrusion (IDS) hybride compos\u00e9 de types de d\u00e9tecteurs h\u00e9t\u00e9rog\u00e8nes : un NIDS : NetWork Intrusion Detection System ; un HIDS : Host based Intrusion Detection System un LML : Log Monitoring Lackey. &hellip; <a href=\"http:\/\/blog.guiguiabloc.fr\/index.php\/2008\/01\/27\/installer-et-configurer-prelude\/\">Read More <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,8],"tags":[10,221,11,9,222],"_links":{"self":[{"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/posts\/8"}],"collection":[{"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/comments?post=8"}],"version-history":[{"count":0,"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/posts\/8\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/media?parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/categories?post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.guiguiabloc.fr\/index.php\/wp-json\/wp\/v2\/tags?post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}