[prelude-user] No alerts in Prewikka
Robert Vineyard
robert.vineyard at oit.gatech.edu
Thu Nov 19 00:50:25 CET 2009
Yes, I've verified that the events are indeed getting inserted into the
database both via the method you describe and by looking directly at the
rows in the database tables.
This prelude-manager instance is currently collecting events from 16
load-balanced snorts sniffing an aggregated 10gb tap, so the volume is very
high. I expected to see a bit of reporting latency due to this factor (I'll
get to optimization later on), but I've been recording data for several days
and still do not see a single alert inside PrewikkaPro.
--
[ Robert Vineyard | RHCE, Security+ ] [ robert.vineyard at oit.gatech.edu ]
[ Information Security Engineer III ] [ 404.385.6900 | FAX 404.894.4690 ]
[Finding a needle in a haystack isn't hard when every straw is computerized]
Nico wrote:
> have you tried to see if prelude-manager actually inserts events to the
> database?
>
> theres an option to prelude-manager (--db -l or something like that)
> that logs the sql commands.
>
>
> On Nov 18, 2009, at 9:36 PM, Robert Vineyard wrote:
>
>> I found some additional information here:
>>
>> https://dev.prelude-ids.com/wiki/1/FrequentlyAskedQuestions#Sensors-are-running-but-I-see-no-events-and-agents-in-Prewikka
>>
>>
>> I re-ran prelude-manager with the suggested debug options and it appears
>> that it is indeed processing sensor alerts and heartbeats.
>>
>> I also tried running prewikkapro-httpd in the foreground on the
>> command line
>> (I've been running it under apache with mod_python) and saw that I was
>> getting python errors about missing imports from Cheetah. I'm using
>> Ubuntu
>> Hardy (version 8.04) which comes with an older version of Cheetah which I
>> assumed might have been causing the problem. I uninstalled this older
>> version and attempted to run with the version that is included with the
>> prewikkapro installation, but continued to receive errors about missing
>> imports. I then tried installing the latest stable version of Cheetah
>> from
>> the author's website and received still more import errors, again
>> different
>> from the previous ones. Finally, I peeked inside the Cheetah package
>> included with prewikkapro and saw that it was using version 2.2.1. From
>> there I downloaded a source tarball of Cheetah version 2.2.1 from the
>> author's website and installed it, and finally prewikkapro-httpd would
>> start
>> up without errors.
>>
>> However, browsing to port 8000 on my prewikkapro server still shows me no
>> events despite the above debugging efforts. What am I doing wrong here?
>>
>> --
>> [ Robert Vineyard | RHCE, Security+ ] [
>> robert.vineyard at oit.gatech.edu ]
>> [ Information Security Engineer III ] [ 404.385.6900 | FAX
>> 404.894.4690 ]
>> [Finding a needle in a haystack isn't hard when every straw is
>> computerized]
>>
>>
>> Robert Vineyard wrote:
>>> I think I've finally got my Prelude setup mostly up and running. I've
>>> verified that there are a bunch of snort alerts in the prelude
>>> database, and
>>> both postgres and prelude-manager see quite a spike in utilization
>>> when I
>>> fire up my snort sensors.
>>>
>>> The problem is, now that I've got Prewikka (actually PrewikkaPro)
>>> hooked up,
>>> it is able to see my snort agents but does not display any events
>>> coming out
>>> of them. Did I miss something in the Prewikka setup?
>>>
>>> Thanks!
>>>
>> _______________________________________________
>> Prelude-user site list
>> Prelude-user at prelude-ids.org
>> http://lists.prelude-ids.org/mailman/listinfo/prelude-user
>
More information about the Prelude-user
mailing list