Larger environments translate to a higher number of hosts to monitor. The management burden is a linear function of the number of machines under watch and makes security monitoring extremely difficult to scale up. In addition, independently looking at a large number of hosts does not give a global picture of often interrelated events.
Central host monitoring not only allows for a more comfortable administration experience, but centrally presenting events that are coming from various devices allows for grouping. For example, an attacker using a single source IP address would generate logs at multiple levels when trying to penetrate a system.
A firewall might log a TCP scan coming from a given source address, then Snort might flag a packet from that same address containing an attack destined to the web server, and Samhain might indicate a file change on the same web server within the same time frame. All those events taken separately might not constitute major events by themselves, but gathered together they build up value.
Correlating various security events raises the overall level of pertinence.
Prelude-IDS is an open source client/server security console that allows multiple sensors to simultaneously send their respective events to a central database. The application covers the main open source security applications and implements an event correlator that groups together related log entries.
The following is the official list of supported sensors:
A real-time buffer overflow protection library. I had no success building Libsafe-2.0.16 with Prelude 0.9.10-trunk-20060714. Libsafe with no Prelude support proved to be a fairly effective way to prevent buffer overflow exploitations. Because each successful detection logs an entry in the local log facility, it should still be simple to support Libsafe with Prelude-lml.
The Prelude Log Monitoring Lackey is a system log parser that relays its results to the centralized Prelude database.
When built with Prelude support, our favorite file integrity checker forwards its alerts to the centralized Prelude database.
A network sniffer to collect traffic for statistical analysis and network activity discovery. I have not used this module.
This is the most well-known open source Network IDS. When built for Prelude, it sends its logs, alerts, and packet captures to the Prelude database.
Sensor communications with the central server are encrypted and authenticated. In addition to support for the listed sensors, Prelude comes with a web interface called Prewikka. This web UI runs on port 8000 by default and allows multiple security administrators to review alerts. Each administrator can be assigned a set of rights, allowing them to control the system, view logs, and reconcile alerts.
The default account to access the web UI is admin, with a default password of admin.
In my setup, I successfully managed to get Prelude-lml, Snort, and Samhain to log their respective events to a Prelude database. Unfortunately, I soon faced major slowdowns in the responsiveness of the web UI. Googling for that issue, I eventually discovered that the open source preludedb interface component to the MySQL or PostgreSQL database was not performing well under the moderate load of my setup, and that the commercial Prelude-IDS company was selling a faster (by up to 1,800 percent) version called Prelude-xlr. In my experience using the open source libpreludedb, I noticed significant slowdowns with more than 5,000 alerts in the database.
Most recent versions of Prelude-IDS are shipped with an agent called prelude-correlator. With this module loaded, events from the database are parsed and automatically grouped together based on customizable rule sets.
In my experience, because Prelude-lml is able to parse logs from a great variety of daemons, the correlator is a real must and makes all the difference compared to looking at independent and unrelated hosts.
The following is a short list of the most popular daemons whose logs can be parsed by Prelude-lml:
Routers from Arbor, Cisco, and Zyxel
Firewalls from Checkpoint, Cisco, Juniper, SonicWall, and Zywall
Other commercial products listed in Table 20-6
Open source applications listed in Table 20-7