| What is raprelude? |
|
raprelude is a client to log network events
to a prelude manager.
For this task you would use argus to log all information
of network connections in your network. Then you can make
use of any argus client to select the network traffic you are
interested in. For example you use the ra client
to select just the connections to a certain server you are
examining. raprelude uses a configuration
file with rules to determine which alerts to log and with
wich class name. That way ICMP traffic can be classified as
ICMP traffic, some other traffic records can be dropped and
again other records might be logged with more detailed
information than others. This way
raprelude enables you to log selected traffic
information to prelude so you can visualize it together with
the other hostile network events that are detected by other
prelude sensors. Prelude uses IDMEF
format to log the events.
|
| |
| Where to get it? |
|
You need the latest release
of argus clients (actually argus-clients-2.0.6)
and libprelude-0.9
and of course the raprelude
sources. Additionally you need to have gnutls
installed on your system.
|
| |
| Installation |
|
Compile and install
libprelude on your system. Untar the argus-clients and the
raprelude-tarball somewhere. Change into the raprelude directory
and run the shell script apply.sh. This script
tries to find the necessary libraries and directories. If it
does not find something, it asks you for the correct location.
Then it installs a patch on the argus clients directory.
You can then go ahead with the argus-clients (configure;
make; make install). If everything went well, you now
have a raprelude binary among other argus clients.
Before you start you have to couple the raprelude sensor with
your prelude manager. During this process both applications
exchange certificates to be able to setup encrypted communication
channels. The default profile name of raprelude is "raprelude".
Afterwards you have to copy the provided file class.conf
into the prelude directory /etc/prelude/profile/raprelude.
You might have to edit some of the rules to fit your needs.
|
| |
| How to proceed? |
|
Here are a few links
to further documentation on the net:
|
| |
| |
|
Additional information
on setting up and using prelude can be found at https://trac.prelude-ids.org/.
|
| |
| |
|
If you have further
questions regarding this software or if you have problems in getting
this thing started, you can send
me a mail.
|
| |
| DISCLAIMER: |
|
This is experimental
software. Use at your own risk.
Under no circumstances may the author or
distributors of this software be held liable for damage to hardware
or software, lost data or other damage either direct or indirect
caused by using this software.
In some countries, cryptographic software may be subject to import/export
restrictions or subject to software patents. This software may not be
used or disseminated in those countries.
Otherwise, it is subject to the
usual rules of the gpl license. If you do not wish to abide by these
rules, you may not use or disseminate this software.
|
| |
| History |
|
Changelog of raprelude:
|
| |
| 0.3.1 (2005-09-28) |
|
Second release. raprelude
now uses prelude 0.9 and argus-clients-2.0.6 (both stable
releases). The logging was substantially improved, now complete
argus records can be stored in the IDMEF alerts (ACTION store),
MAC addresses can be transmitted too (ACTION mlog). The complete
configuration is held in the file class.conf.
Rules in this file provide classification names for the different
types of network traffic.
|
| |
| 0.1 (2003-04-15) |
|
Initial Version of
raprelude, based on prelude 0.8.
|
| |
| |