Cannot connect snort with prelude manager - libprelude file 'missing'

Discussion in 'HOWTO-Related Questions' started by chillifire, Feb 23, 2008.

  1. chillifire

    chillifire New Member

    Dear All,

    I could get through 'Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated)' without problem but tried my hand at 'Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon' and cannot get snort to hook up with prelude.

    WhenI start snort with snort -c /etc/snort/snort.conf snort aborts and I get the following error:
    Code:
    ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting..
    I check the configuration out put of
    Code:
    ./configure -enable-dynamic-plugin -enable-prelude
    and I see the following:
    Code:
    [..]
    checking for libprelude-config... no
    checking for libprelude - version >= 0.9.6... no
    *** The libprelude-config script installed by LIBPRELUDE could not be found
    *** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in
    *** your path, or set the LIBPRELUDE_CONFIG environment variable to the
    *** full path to libprelude-config.
    [..]
    Now that is positively weired, as I have successfully installed prelude-manager and prelude-lml on my ubuntu 7.10 server and even succeeded connecting the manager with the agent. the version of the manager in the Ubuntu package is .9.8, the version of the agent is .9.10 so there should be no problem, one would have thought.

    BTW, a search on libprelude-config with $ find -name "libprelude-config" gave no result.

    Where should these libprelude files live? how can i see their version? How can I ensure snort knows where they are?

    Any input is appreciated.

    Thanks

    chillifire



    PS: The script 'Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon' has some typos:
    It says
    Code:
    ./configure -enable-dynamicplugin --eanble-prelude
    I am usure it should be enable not eanble, but what about the hyphens? why has one parameter two (--), the other one hyphen (-)? One would think only one is correct? Can someone confirm please?

    Also, it says further is the script:
    well, that line does not exist. There are only the lines:
    [..]
    # output alert_prelude
    # output alert_prelude: profile=snort-profile-name
    [..]
    So should it be 'output alert_prelude', 'output alert_prelude: profile=snort-profile-name' or 'output alert_prelude: profile=snort'?

    These things may not cause anything, as I have tried various combinations in several reinstalls and always come to the same error as shown above.
     
    Last edited: Feb 23, 2008
  2. chillifire

    chillifire New Member

    Update - but no solution yet

    Hi,
    I had a look at the Ubuntu website and found two packages 'libprelude-dev' and 'libpreludedb-dev' which installed the repective libraries .9.12 for the prelude-manager and .9.14 for the prelude-lml. Now the error reported under the
    Code:
     ./configure -enable-dynamic-plugin -enable-prelude
    command does not occur anymore. But still, I get the same error when starting snort with
    Code:
    snort -c /etc/snort/snort.conf 
    it aborts with
    Code:
    ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting..
    Any hints/input?

    chillifire
     
  3. chillifire

    chillifire New Member

    Resolved: Installed package rather than from source - all fine

    Hi,
    as the message says, I gave up installing from source and installed the packages snort snort-common snort-common-libraries snort-rules-default coming with Ubuntu. The configuration of /etc/snort/snort.conf of course still applies. All works like a charm now.

    Granted, this only give you one release back (2.7.0 vs 2.8.0.1 from source) but what counts more with this are the rules. I the ruleset coming with the packe is from October last year. So I registered with snort (no subscription required), downloaded the newest ruleset for registered users (22 Jan this year) and installed as per the HowTo.

    So 'source schmource' is all I can say. IMHO, stick with packages for Ubuntu/Debian whenever you can.

    Although in the end 'I helped myself', I trust this is going to be a valuable hint for anyone else who tries.

    Cheers

    chillifire
     
  4. topdog

    topdog Active Member

    Can you not download the ubuntu source debs and then upgrade them instead. The build system should take care of all the dependencies.
     
  5. chillifire

    chillifire New Member

    limitations of upgrade

    Hi topdog,

    apt-get upgrade will not install a newer version of the source just because 'it is there'. All the debian/ubuntu package installer will install for you is the version someone has cared to, well, pack into a package. It appears at about the time of 2.7.0 was the last time someone bothered, so that's the best version you can get in a package install versus source. So if you want the latest version right now, you will have to go to source.
    Obviously eventually someone will assemble a package with a newer version.
    But in the end, I prefer a package that works, even if 6 months outdated, to a source that don't on my distro.
     
  6. topdog

    topdog Active Member

    What i mean is this
    Code:
    apt-get source <package name>
    
    That will install the source and patches that were used to create the ubuntu package, you can then modify the build instructions and get your newer pristine source package in, then build using the same build instructions to build a new .deb package which is a newer version since it will use your newer pristine source.
     
  7. chillifire

    chillifire New Member

    Interesting. Sounds a bit like 'build your own package on the fly'
    Was tempted to try this and I can see the command loads all the sources into /src Given my lack of experience in building experience, I do not know where to look for the package build instructions though - or even what I am looking for. Any advice?
     
  8. falko

    falko Super Moderator Howtoforge Staff

  9. linux_padawan

    linux_padawan New Member

    installing snort with Ubuntu packages

    I have done all this and stil I get :ERROR: unknown output plugin: 'alert_prelude'Fatal Error, Quitting

    when installing the common snort files did you see anything added that was different from installing from source?
     
  10. linux_padawan

    linux_padawan New Member

    OSSEC agents

    The how to explains how to get the agent on the local server to work but not how to register agents from other boxes. I had to reinstall ossec on the server to and pick server configurations and now I can register agents from other boxes to the server. But all alerts are sent to the logs of the prelude server so I don't see any additional agents on the prewikka console. I would like to setup ossec on each box and have the ossec sensor be viewed on the prewikka console as a separate agent.

    Has anybody had the same problem or know a solution to this...
     
  11. Miguel

    Miguel New Member HowtoForge Supporter

    Hi,

    if you want to add agents from other boxes, than your prelude-manager server has to listen to multiple addresses.

    Edit /etc/prelude-manager/prelude-manager.conf and see that the following is set:

    listen = 127.0.0.1
    listen = xxx.xxx.xxx.xxx --> Ip of your machine

    The manages than listens besides localhost, also on the machine's ip address.

    On the client (agent) machine set in /etc/prelude/default/client.conf

    server-addr = xxx.xxx.xxx.xxx --> Ip of the prelude manager

    On the agent machine libprelude has to be installed in order to register them to the prelude-manager

    Port 4690 needs to be open vor communication between the agent and prelude-manager
    Port 5553 needs to be open for the registration process.

    Kind regards,

    Miguel
     

Share This Page