Prelude was founded and writen by Yoann Vandoorselaere in 1998. Many others have also greatly contributed to it.

Prelude is a hybrid intrustion detection system that will detect and monitor security instrusions, whether they happen in an attack mobilized over the Internet or an attack mobilzed locally. The monitoring work that Prelude does is made possible via an LML (Log Monitoring Lackey). Prelude can also utilize the rulesets from intrusion detection systems such as Snort.

• prelude-manager : The manager is the place where all the main logging is done. When the manager receives a signal from the sensors, it logs the signal so the user can investigate. Logging can either be done to a file or to a datebase such as MySQL. The latter is the recommended solution.

• prelude-nids : NIDS is a plugin for Prelude and stands for Network Intrusion Detection System. The prelude-nids package should definately be used along side Prelude proper, but is not mandatory. The NIDS package also provides for functionality like that of Snort

• prelude-lml : The LML stands for Log Monitoring Lackey. Like the NIDS, it is also a sensor. The LML watches your logfiles and looks for anything out of the ordinary. Should abnormalities be found, an alert is sent to the manager.

• libprelude : libprelude provides for the libraries necessary in order for the manager to be able to talk to the other plugins. It also provides the sensors with extra features.

• piwi : PIWI stands for Prelude Intrusion (Detection System) Web Interface. The title pretty much describes the said package; it is an interface powered by perl that can help the end user manage their rules and see when attacks are happening or have happened.

We will now begin by adding ssl to our make.conf, then emerging each of the packages described above.

You do not have to delete other entries from your USE, just add ssl.
USE="ssl"

Emerging the libraries.
# emerge libprelude
Now for the log lackey.
# emerge prelude-lml
Installing the Network Intrustion Detection System
# emerge prelude-nids
Now for the most important component: The manager.
# emerge prelude-manager
Lastly, we will install PIWI.
# emerge piwi

We will now edit the Manager's main configuration file, prelude-manager.conf. Two of the most important settings are for changing where Prelude will listen. For instance, if you have two IPs but only one Prelude to listen on one of them, you would supply the said IP in the configuration.

# Sensor Server is listening on any IP 
sensors-srvr = 0.0.0.0; 
# Admin Server is listening on any IP 
admin-srvr = 0.0.0.0; 

If you want to set up Prelude to work with its backend being a database like MySQL or PostgreSQL (and believe me, you do), then you will want to continue with this section. If you really and truly would rather use plaintext logging, then you can skip this section.

# /usr/bin/prelude-manager-db-create.sh

Prelude Database Support Installation
=====================================

*** Phase 0/7 ***

Warning: if you want to use database support with prelude
 You should dedicate the database for this job only.

So if you ever have a database running for another job
 please think about taking it away, because this script
 will install prelude as a dedicated database and you
 could meet some troubles with your old bases.

Since we want database support, we are going to say "y" here.
Do you want to install a dedicated database for prelude ?
 (y)es / (n)o : y


*** Phase 1/7 ***

Here you can either chose to have your database be MySQL (mysql) or
PostgreSQL (pgsql).  I'll be choosing MySQL.
Enter the type of the database [mysql|pgsql]: mysql


*** Phase 2/7 ***

Unless you are going to be running the MySQL server on a different
box than Prelude, just hit ENTER here to choose "localhost".
Enter the name of the host where the database is running [localhost]:


*** Phase 3/7 ***

3306 is the default port for MySQL, so unless you plan on running
the MySQL daemon on a different port, then just hit ENTER here.
Enter the port where the database is running [3306]:


*** Phase 4/7 ***

Hit ENTER here to have the database that stores all the information
that Prelude keeps track of be named "prelude".
Enter the name of the database that should be created to stock alerts [prelude]:

*** Phase 5/7 ***

You can go ahead and hit ENTER here unless you have your MySQL super-user
set up under a different name.
This installation script has to connect to your mysql database in order to creat
e a user dedicated to stock prelude's alerts
What is the database administrative user ? [root]:

We need the password of the admin user "root" to log on the database.
By default under mysql, root has an empty password.
Please enter a password:
Please confirm entered password:

*** Phase 6/7 ***

We need to create a database user account that will be used by the Prelude Manag
er in order to access the "prelude" database.

Username to create [prelude] :

We need to set a password for this special "prelude" account.
This password will have to be used by prelude-manager to access the database.
Please enter a password:
Please confirm entered password:

*** Phase 7/7 ***

Please confirm those information before processing :

Database name   : prelude
Database admin user: root
Database admin password: (not shown)

prelude owner user: prelude
prelude owner password: (not shown)

Is everything okay ? (yes/no) : yes

Creating the database prelude...

Creating user "prelude" for database "prelude",
using "root" to connect to the database.

Creating tables with /usr/share/prelude-manager/mysql/mysql.sql

-------------- End of Database Support Installation -------------
If it succeeded, you should now be able to launch prelude-manager like that :
==>  prelude-manager --mysql --dbhost localhost --dbname prelude --dbuser pre
lude --dbpass xxxxxx

Or you may modify the prelude-manager configuration file (/usr/local/etc/prelude
-manager/prelude-manager.conf by default) in order to launch prelude-manager wit
hout database arguments:
---------- cut here --->
[MySQL]
# Host the database is listening on.
dbhost = localhost;
# Port the database is listening on.
dbport = 3306;
# Name of the database.
dbname = prelude;
# Username to be used to connect the database.
dbuser = prelude;
# Password used to connect the database.
dbpass = xxxxxx;
<--- cut here ----------

Replace xxxxxx by the password you choose for the manager account
-----------------------------------------------------------------

Now we just need to set up NIDS so it knows which ethernet device to monitor.

Change eth0 to match the ethernet device to be monitored.
OPTIONS="-i eth0"

We will now be setting up the default configuration for the sensors in the /etc/prelude-sensors/sensors-default.conf file. This will be used globally for the sensors. You can edit the below and then place it in the configuration file.

# Replace this with the IP of the manager.
manager-addr = 192.168.0.1; 
# Here you will want to fill in your full hostname.
node-name = yourbox.yourdomain.com; 
# This is just a plaintext descriptor.  You can put almost anything here.
node-location = Rack 2, Server 5. Monitoring Network A from an SPAN port on switch 28A; 
[Node Adress] 
# The IP address of the box Prelude is being set up on.
address = 192.168.0.1; 
# The netmask for the box.
netmask = 255.255.255.0; 

We will now be adding our sensors to the manager. There are two ways of setting up the manager to talk to the sensors: via an SSL encrypted connection and via an unencrypted connection. The only time when you will want to opt for the latter is when the manager and the sensor are on the same box.

We will now run the necessary commands to set up the SSL connection.

# manager-adduser

No Manager key exist... Building Manager private key...

How many bits should the encryption be?  I would recommend just hitting
ENTER here.
What keysize do you want [1024] ?


Please specify how long the key should be valid.
        0    = key does not expire
        <n>  = key expires in n days

Here you can hit ENTER again to select a key that does not expire.
Key is valid for [0] :


Key length        : 1024
Expire            : Never
Granted everything is okay, type in "yes" and hit enter.
Is this okay [yes/no] : yes


Generating a 1024 bit RSA private key...
................++++++
...........................++++++
Writing new private key to '/etc/prelude-manager/prelude-manager.key'.
Adding self signed Certificate to '/etc/prelude-manager/prelude-manager.key'


This password is VERY important.  Do NOT lose it until you've completed the sensor-adduser.
Generated one-shot password is "p=7f6N7+".

This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.

waiting for install request from Prelude sensors...
Do not close this terminal!  Leave it open an open another session to
continue the guide.

Now open up another terminal if you have not already done so and proceed to add the sensor user. Right now we will be adding the user for the NIDS component to Prelude.

 You will want to change "192.168.1.102" if the manager is on a different IP.
# sensor-adduser -s prelude-nids -m 192.168.1.102 -u 0


Now please start "manager-adduser" on the Manager host where
you wish to add the new user.

Please remember that you should call "sensor-adduser" for each configured
Manager entry.

We have already done this; hit ENTER.
Press enter when done.

Please use the one-shot password provided by the "manager-adduser" program.

Enter that password that I talked about above.  I hope you did not lose it ;).
Also, be aware that while I am going to fill in the fields here, the password will
not echo back to you.
Enter registration one shot password : p=7f6N7+
Please confirm one shot password : p=7f6N7+
If you do not see that the connection suceeded then you closed the terminal
that I told you not to.  Remove /etc/prelude-manager/prelude-manager.key and start
again with manager-adduser.
connecting to Manager host (127.0.0.1:5553)... Succeeded.


What keysize do you want [1024] ? 1024


Please specify how long the key should be valid.
        0    = key does not expire
        <n>  = key expires in n days

Key is valid for [0] : 0


Key length        : 1024
Expire            : Never

Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...........++++++
........................................++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-nids-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-nids-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-nids@yourbox: 1057315311.

Now switch back to the terminal with manager-adduser running in it. You should see output that resembles that below.

Connection from 192.168.1.102.
sensor choose to use SSL communication method.
Writing Prelude certificate to /etc/prelude-manager/prelude-sensors.cert
Registration completed.

We will now set up the Log Monitoring Lackey.

# manager-adduser


Generated one-shot password is "4;%f7%1Y".

This password will be requested by "sensor-adduser" in order to connect.
Please remove the first and last quote from this password before using it.

waiting for install request from Prelude sensors...

Again, switch over to another terminal and proceed with the next example.

# sensor-adduser -s prelude-lml -m 192.168.101 -u 0


Now please start "manager-adduser" on the Manager host where
you wish to add the new user.

Please remember that you should call "sensor-adduser" for each configured
Manager entry.

Hit enter; we have already started manager-adduser.
Press enter when done.



Please use the one-shot password provided by the "manager-adduser" program.

Enter registration one shot password : 4;%f7%1Y
Please confirm one shot password : 4;%f7%1Y
connecting to Manager host (127.0.0.1:5553)... Succeeded.

What keysize do you want [1024] ? 1024


Please specify how long the key should be valid.
        0    = key does not expire
        <n>  = key expires in n days

Key is valid for [0] : 0


Key length        : 1024
Expire            : Never

Is this okay [yes/no] : yes
Generating a 1024 bit RSA private key...
...............++++++
.++++++
Writing new private key to '/etc/prelude-sensors/ssl/prelude-lml-key.0'.
Adding self signed Certificate to '/etc/prelude-sensors/ssl/prelude-lml-key.0'
writing Prelude Manager certificate.
Using already allocated ident for prelude-lml@yourbox: 1057887742.

On the manager box, start the Prelude manager in the foreground.

# prelude-manager
- Initialized 2 reporting plugins.
- Initialized 1 database plugins.
- Subscribing Prelude NIDS data decoder to active decoding plugins.
- Initialized 1 decoding plugins.
- Initialized 0 filtering plugins.
- Subscribing TextMod to active reporting plugins.
- sensors server started (listening on 127.0.0.1:5554).

Now go ahead and switch over to the sensor box. We will test the communication by using the NIDS sensor.

Remember to change the manager address if it differs from the example.
# prelude-nids -i eth0 --manager-addr 127.0.0.1
- Initialized 3 protocols plugins.
- Initialized 5 detections plugins.

- RpcMod subscribed for "rpc" protocol handling.
- TelnetMod subscribed for "telnet" protocol handling.
- HttpMod subscribed for "http" protocol handling.
- Done loading Unicode table (663 Unichars, 0 ignored, 0 with errors)
- ScanDetect subscribed to : "[TCP,UDP]".
- ArpSpoof subscribed to : "[ARP]".
/etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex
/etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex
- Signature engine added 890 and ignored 2 signature.
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.

- Initializing packet capture.

Make sure that your output looks relatively the same. Let us make sure that we have the important output displaying correctly.

- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.

[unix] - accepted connection.
[unix] - plaintext authentication succeed.
[unix] - sensor declared ident 578232824809457160.

If you do not see those two sets of output, make sure that the manager is listening on the right IP and that the manager address is supplied properly for NIDS.

There are several init scripts that control the different parts to Prelude, so we will want to start those up now.

First, we will start up the manager.
# /etc/init.d/prelude-manager start
Next, it is time to start the NIDS
# /etc/init.d/prelude-nids start
And finally, we will start up the LML.
# /etc/init.d/prelude-lml start

Most likely, you are going to want Prelude and its components to start up when you boot up the computer. In order to achieve this, we will add the necessary components to the default runlevel.

# rc-update add prelude-manager default
# rc-update add prelude-nids default
# rc-update add prelude-lml default

The first thing we will do to get PIWI working is emerge it.

# emerge piwi

We will now follow the instructions that the emerge process gives us

The best place for this line is probably at the end of the file.
Include /etc/piwi/piwi-apache.conf

Now we will tell Apache to load the PIWI specific configuration directives. If we were to skip this step, when you go to the location of your website with the PIWI files, the Perl scripts will likely just show up as plain text.

APACHE_OPTS="-D PIWI"

Next, we need to edit the PIWI configuration file to match our MySQL database settings that we used for Prelude.

Edit the next two lines to suit your setup.
$conf{'dblogin'}='prelude';
$conf{'dbpasswd'}='dbpass';

All that is left to do is start up Apache and check to make sure that the PIWI scripts are being processed correctly.

# /etc/init.d/apache start

Now point your browswer to http://yoursite/piwi and you should be greeted by a Web interface.

• Collective Work. PreludeIntrusionDetectionSystem - Gentoo Wiki.

• Polombo, Daniel. Prelude Hybrid IDS.