prelude faq

Prelude's FAQ v. 0.02 (February 2002) This document is the Frequently Asked Questions on the Network Instrusion Detection System called "prelude". This document easily can be enhanced by your suggestions, which are welcome. You can send anything you want talking about this FAQ to Sebastien Tricaud, toady@cell-security.com. This FAQ is divided in two parts : - Part I : General Questions, which talk about IDS and prelude in general. - Part II : Technical Questions, talking about prelude's installation, configuration and using problems.

	Index of this FAQ
	Part I : General Questions Section 1 : About this FAQ 1.1 Nowadays, who supports it ? 1.2 Who are the contributors ? 1.3 Where can it be found ? 1.4 And my questions ? Section 2 : What are IDS ? 2.1 What does IDS mean ? 2.2 What's the purpose of an IDS ? 2.3 What kind of IDS are there ? 2.4 What kind of IDS is prelude ? 2.5 What IDS can do ? 2.6 What IDS won't do ? Section 3 : Prelude 3.1 Can I run prelude on other UNICES ? 3.2 Can I run prelude on other OS than POSIX systems ? 3.3 Through which communication port does prelude works with the server ? 3.4 Can I use prelude in a switched network ? 3.5 Can I use prelude behind a firewall ? 3.6 Can I export prelude's reports ? 3.7 How can I check that prelude report is running right ? 3.8 How can I be sure that prelude is running well ? 3.9 How can I set ruleset for prelude ? 3.10 What are the differences between prelude and snort ? Section 4 : Ressources 4.1 Mailing lists 4.2 Prelude's official website Part II : Technical Questions Section 1 : While installing prelude 1.1 Shall I need to have libpcap installed ? 1.2 I want to run prelude's Manager server through xinetd, how can I do it ? 1.3 How do I update prelude ruleset ? Section 2 : Compilation troubles 2.1 I have some libtool problems, what can I do ? Section 3 : While configuring prelude 3.1 How do I run prelude on an interface with no IP address ? 3.2 How do I ignore packets coming from a specific host ? 3.3 Can I import snort's plugins ? Section 4 : While using prelude ? 4.1 Hey, where a the logs located ? 4.2 When I start prelude I get errors from the rules file ? 4.3 What is BPF ? 4.4 Is prelude vulnerable to noise generators like "Stick" and "Snot" ? 4.5 What about prelude against Gigabit-speed intruders ? 4.6 How does prelude work with IP fragmented packets ? Section 5 : Prelude's troubleshooting 5.1 When I start prelude, I got the message : " no interface nor file to read the packet from where specified", why ? 5.2 What are the false positives ? 5.3 Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set ? 5.4 I'm running prelude 0.4.2 and it complains that it can't find /usr/local/etc/prelude/prelude.rules. What's wrong?

	Part I/Section 1 : About this FAQ
	1.1 Nowadays, who supports it ?It has been written by Sebastien Tricaud <toady@cell-security.com> 1.2 Who are the contributors ? This FAQ was gratefully contributed by the following people: - Yoann Vandoorselaere - Laurent Oudot - Jean-Francois Taltavull - Krzysztof Zaraska 1.3 Where can it be found ? On toady's web page : http://www.linuxlots.com/~tricauds/prelude and next modifications posted on prelude-dev's mailling list. 1.4 And my questions ? Please, be as clear as possible with the questions you ask, including all the elements which could help us for your help.

	Part I/Section 2 : What are IDS ?
	2.1 What does IDS mean ?IDS means Intruction Detection System, it can also be called NIDS for Network Intrusion Detection System.  2.2 What's the purpose of an IDS ? An IDS has to report each abnormal packets received targeting your network. It's not a firewall but it trys to avoid to receive attacks, that's why it has an important part in your network, complementary with a firewall.  2.3 What kind of IDS are there ? As far as I know, there are :  Network IDS : Sniffing at all packets in each network segment. Host-based IDS : Looks at only packets addressed to the machine. Hybrid IDS : it consists of a misuse detection component detecting mostly anomalys based on a the statistical approach wrapping events as intrusive if they are deviant from the expected behavior. It combines Network IDS and Host-based IDS. 2.4 What kind of IDS is prelude ?Prelude is a Hybrid IDS. This mean there are differents Sensors with differents capability (network sensor, host based sensor, etc). Theses sensor send event to a central Manager which process them and is responsible for event reporting. There is also a correlation agent working together with the Manager.  2.5 What IDS can do ? (by prole@subterrain.net)  Monitor and analyze user, system, and network activity Audit system configurations and scan for vulnerabilities Assess data integrity of critical files Recognize indications of known attacks Recognize abnormal activity Manage audit trails and assist in analysis 2.6 What IDS won't do ? (by prole@subterrain.net) All of these are limitations, but I'd like to stress the importance of the first three.  "IDS as the ultimate security solution" reminds me of a quote from "Monty Python and the Holy Grail":    "Listen, lad, I built this kingdom up from nothing.  All I had when     I started was swamp ...  other kings said I was daft to build a     castle on a swamp, but I built it all the same ... just to show 'em.     It sank into the swamp.  So I built a another one ... that sank     into the swamp.  I built another one ...  That fell over and THEN     sank into the swamp ....  So I built another ... and that stayed up.     ... And that's what your gonna get, lad: the most powerful kingdom in     this island." If you believe that, I've got an IDS to sell you. Compensate for weak identification and authentication checks Compensate for weaknesses in specifications (notably network protocols) Compensate for a weak OS Comprehensive, intuition-based investigation (yet) Create security policies Analyze _all_ traffic on a network and maintain infinite state Run themselves

	Part I/Section 3 : Prelude
	3.1 Can I run prelude on other UNICES ?Prelude is still in development stage, which means it may or may not compile on your platform. In case it does not, please send us a bug report and your configuration. Watch the new releases of this FAQ : the prelude's crew is working on a FreeBSD port (ask Krzysztof Zaraska if you are interested by this port). 3.2 Can I run prelude on other OS than POSIX systems ? Now, prelude doesn't work with other than POSIX systems. Because of the low level program.  3.3 Through which communication port does prelude works with the server ? Currently used port is 5554, but you can setup your own. This may change thought. We suggest you to change this number to avoid people knowing that this port is owned by prelude.  3.4 Can I use prelude in a switched network ? (mostly answered by Laurent Oudot) Sure. But you will see only datas coming from/to a machine on your wire. But if you really want to know what's going on your switched network, the best you should do is to try to get all packets directly on the switches. Most of good switches may propose you an option that can help to plug an analyser on itself in order to capture all the traffic for network monitoring and administration reasons. So if you want, you can use it to get a copy of each packet seen by a switch when it forward it to the god port. It may even work with VLAN switched environnement. Here is a little example that works with CISCO switches. Fistable, log on the switch you want to monitor the traffic on, and go under the CLI (Cisco shell) and use the "enable" option (for higher administrative rights). Then you may be able to use the "SPAN". On some Cisco *Switches* (it's important, on routers "span" may be use as a key word for spaning tree which is totally different :-) ), SPAN means Switched Port ANalyser (ESPAN is Enhanced for multiports support). sh   span  --> will show you the current config of the SPAN ; by default, you should see that no port has been passed in monitoring mode (or, u got a problem dude !). After it will help you to see what monitoring config you put. set   span   3/1,3/2,4/3   5/3   both  --> will copy any packets of ports number 3/1 and 3/2 and 4/3 (you can specify what you want with this style) to the 5/3 destination monitoring port. But if you really want to know what's going on your switched network, the best you should do is to try to get all packets directly on the switches. Most of good switches may propose you an option that can help to to plug an analyser on itself in order to capture all the traffic for network monitoring and administration reasons. So if you want, you can use it to get a copy of each packet seen by a switch when it forward it to the god port. It may even work with VLAN switched environnement.  3.5 Can I use prelude behind a firewall ? It depends, as long as prelude demands to read packets coming from outside, if your firewall allow (some) packets to go through your firewall, prelude can analyse them. It works with Linux / iptables. Nowadays, unknown for the others OS (if you know the answer, thanks to write it to me).  3.6 Can I export prelude's reports ? Yes, reports are available on the Manager. Which can be either on the sensor machine, either on another host.  3.7 How can I check that prelude report is running right ? (asked by Forsman Dennis) In order to be sure that that prelude report program is running, you might do a ps aux | grep prelude-report, if you see that the process is running, that all right. Be careful to not take in consideration the process 'grep prelude-report'. 3.8 How can I be sure that prelude is running well ? For that, you might start prelude with the following parameters : prelude-nids -i -m Debug -e  which'll enable the debug plugin, which'll emit an alert for each packet.  3.9 How can I set ruleset for prelude ? Till version 0.4.2, prelude didn't furnish its own default ruleset. You could retrieve them on the snort official web site.  3.10 What are the differences between prelude and snort ? (asked by Forsman Dennis, answered by Yoann Vandoorselaere) Well, that's quite a polemical discussion. Prelude is, at least in the newer release (still in CVS), a hybrid IDS. Which means you have a central Manager gathering datas from a sensor that can be distributed in your whole network. You can have any kind of sensor. Also, Prelude is modular, and easily extensible throught plugins. The Prelude signature engine is also fully separate from the signature parser, which potentially permit anyone to develop a plugin for parsing any kind of signature ruleset. On a performance standpoint, Prelude signature engine is faster. On the test we made, Prelude signature engine ended up being 30% faster at 300Kb/s, and 300% faster at 9Mb/s than the Snort one (and this is exponential)... Theses performances can be achieved due to the use of a binary tree, at the price of using more memory. Theses datas were gathered on Prelude 0.4.2, and might change for the next release.

	4.1 Mailing lists There are three mailing-lists, which are : prelude-cvslog@prelude-ids.org, the ChangeLog of each cvs commit is sent here; prelude-devel@prelude-ids.org, the development mailing-list; prelude-user@prelude-ids.org, for user support. You can choose, according to your needs the mailing list appropriated. Send a mail to listname-subscribe@prelude-ids.org in order to subscribe to the mailing list. In order to unsubscribe, send a mail to listname-unsubscribe@prelude-ids.org 4.2 Prelude's official website http://www.prelude-ids.org/

	Part II/Section 1 : While installing prelude
	1.1 Shall I need to have libpcap installed ?You don't need to. Prelude NIDS sensor furnish it's own, modified, version of libpcap that permits it to avoid copying of packet. This may change if we can find an agreement with the Pcap maintainers to include this patch in the Pcap distribution.  1.2 I want to run prelude's Manager server through xinetd, how can I do it ? No. Prelude Manager have it's own, optimised, serving system. As a result, you won't be able to run the Prelude Manager from xinetd.  1.3 How do I update prelude ruleset ? Prelude accepts snort rules, so you can use current snapshot from http://www.snort.org/downloads/snortrules.tar.gz With prelude 0.4.2 [others?] you need to place all rules in one file; after unpacking the archive simply do : cat *.rules > /usr/local/etc/prelude/prelude.rules then edit prelude.rules and include the following variable definitions at the top of the file: var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET You may of course set these differently to suit your particular needs. With prelude 0.8 [currently in CVS] you may simply place the unpacked rule files overwriting these from /usr/local/etc/prelude-nids/ruleset/. Be sure however to keep original prelude.rules and classification.config. Pay special attention to classification.config because prelude needs a modified version and will not work with the one from snort rules distribution.

	Part II/Section 2 : Compilation troubles
	2.1 I have some libtool problems, what can I do ?If you get an error like "libtool: link: cannot build libtool library `libprelude.la' from non-libtool objects: ../libmissing/libmissing.a" during the compilation of libprelude (for example), you should upgrade your libtool version (libtool --version to see it). We recommend you to use at least 1.4.2 to compile prelude programs properly (on a Debian 2.2r3 it's a 1.3.3 by default).

	Part II/Section 3 : While configuring prelude
	3.1 How do I run prelude on an interface with no IP address ?Try to emulate an ethernet card (/dev/eth0), I heard about programs able to do it.  3.2 How do I ignore packets coming from a specific host ? You can specify one bpf rule by interface. So for exemple you could start prelude-nids with -i -b -i -b "bpf rule"  3.3 Can I import snort's plugins ? Snort plugin can be ported quite easily as soon as you are able to write C code. The main difference between Snort and Prelude plugin is that Prelude's one are dynamically loaded if requested. And are not part of the main program (so it make it easier to add plugin).

	Part II/Section 4 : While using prelude
	4.1 Hey, where a the logs located ?Logs are located by the Manager host. The exact location of logs depends on the reporting plugins you use. 4.2 When I start prelude I get errors from the rules file ? If you use rules files coming from snort and "cat" them all in one file, the errors come from the fact that these rules are badly written. 4.3 What is BPF ? BPF means Berkeley Packet Filter. To goal of BPF is to provide a raw interface to the data link layer. Each packet which is inside the wire is visible through this mechanism. 4.4 Is prelude vulnerable to noise generators like "Stick" and "Snot" ? Well, as soon as the signature engine is involved : yes. Now, we'll add some code that'll permit to discard some false attack reporting soon, by trick like testing if the packet is part of a TCP connection.  4.5 What about prelude against Gigabit-speed intruders ? Still not tested.  4.6 How does prelude work with IP fragmented packets ? Prelude handles IP fragmentation, and so is able to defragment IP fragmented packet.

	Part II/Section 5 : Prelude's troubleshooting
	5.1 When I start prelude, I got the message : " no interface nor file to read the packet from where specified", why ?You have to start Prelude NIDS sensor with the -i 'devicename' argument. Example : prelude-nids -i eth0 5.2 What are the false positives ? Also known as false alarms, they are quite a big problems an the purpose of an IDS is to try to avoid them as much as possible. It's like to say that something runs OK and that it doesn't : this is a false positive, that's the same with the packets you receive. 5.3 Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set ? (from the snort FAQ) One of the reasons it alerts on a PA flags is to minimize the false positive. You will only get an alert upon successful connections. If you want to see all the attempts, you either have to modify the signatures, add you own signatures or use your firewall logs to see if an attempt to specific a port occurred. 5.4 I'm running prelude 0.4.2 and it complains that it can't find /usr/local/etc/prelude/prelude.rules. What's wrong? Prelude 0.4.2 is shipped without default rulset; you must download snort ruleset yourself. See question ['1.3 How do I update prelude ruleset ?'].