Installation and Configuration
of Realeyes IDS

SourceForge.net Logo

This installation package is based on the Debian etch distribution. See the Debian documentation for an explanation of general installation procedures. These instructions are for specifically installing and configuring the Realeyes packages.

There are four Realeyes packages which may be installed together or separately. Some combinations do not make sense, such as the IDS sensor package and the user interface package.

There are three steps to installing the Realeyes packages and one step to deinstallation.

See the README files in /usr/share/doc/package_name for an explanation of each package.

I. Pre-installation

  1. There are four packages in the Realeyes IDS application. All but the realeyesGUI application have significant resource requirements. The realeyesIDS application uses as much as 90% of the available memory and may use significant disk space if network connections are unreliable.

    The realeyesDB schema for the PostgreSQL database and the realeyesDBD application may also use significant memory and disk space if there are several realeyes IDS sensors.

    To account for these requirements, the recommended disk partitions are as follows (Option 1 will be sufficient for most installations, but Option 2 is described for those that need it):

    • /swap: 500M - 1G depending on expected traffic
    • /var: 500M

      • Option 1
    • /: Remaining

      • Option 2 (realeyesIDS or realeyesDB / PostgreSQL)
    • /: 1G
    • /data: Remaining

    The /data partition in Option 2 should be defined as follows for the specified packages, BEFORE THE PACKAGES ARE INSTALLED:

    • If installing the realeyesIDS package:

        mkdir /data/ids

      During the configuration of the RealeyesIDS package (see the installation instructions below) and set the Spooler directory to /data/ids_spooler.

    • If installing the realeyesDB package:

        mkdir /data/db

      Edit the PostgreSQL configuration file, which should be found in /etc/postgresql//main/postgresql.conf, and set the data_directory parameter to /data/db.

  2. If the Realeyes IDS application is installed on a host separate from the rest of the system, then it is expected that there will be two network interfaces, one for monitoring in promiscuous mode, and the other for connections to the Realeyes DBD host and SSH access.

    In this case, both interfaces should be defined to use static IP addresses, with the monitoring interface set to 0.0.0.0. It is advisable to establish a site standard for using the first or second interface for monitoring.

  3. The following user IDs are the defaults created by Realeyes package configuration scripts, but may be modified when the scripts are run:

    • reids
    • redba
    • redbd
    • readmin

II. Installing the packages

To install the packages, using the apt-get or aptitude program:
  1. Copy the debian packages to a directory that will be used for the initial installation and future updates, such as, /var/tmp/realeyes. Untar the packages:

      tar xvzf realeyes_debian.tar.gz

  2. Download the Realeyes public key file, RE_pubring.gpg. and add it to the Debian trusted sources with the command:

      apt-key add RE_pubring.gpg

  3. Edit the file /etc/apt/sources.list.

    • Where 're_dir' is the fully qualified directory path where the Realeyes Debian tar file is expanded, add the following to /etc/apt/sources.list:

        deb file:/re_dir/realeyes/ etch contrib

    • On the lines that define the repository add 'non-free' at the end to be able to access the Sun Java package.

        deb http://ftp... etch main contrib non-free

  4. Update your package lists with one of the following methods:

    1. In aptitude, select Actions -> Update package list

    2. On the command line enter:

        apt-get update
Package descriptions
  1. Database package: realeyesDB

    • Automatically installed:
      • postgres database

  2. User interface package: realeyesGUI

    • xorg: Required if the X window system is not installed
    • fluxbox: For a stripped down desktop environment
    • Automatically installed:
      • sun-jre (Note: There will be prompts to read and accept the license agreement)

  3. Database daemon (DBD) package: realeyesDBd

    • openssl: If the connection between the DBD and the IDS is to be encrypted (strongly recommended unless both are on the same host)
    • Automatically installed:
      • sun-jre (Note: There will be prompts to read and accept the license agreement)

  4. Intrusion detection system (IDS) package: realeyesIDS

    • Automatically installed:
      • libxml2 and libpcap required libraries
      • libssl and libcrypto, optional openssl libraries

III. Configuring the Realeyes packages

The initial configuration of all Realeyes packages except the user interface is done using scripts.

If the X window system has been installed, it may be easier to use it than the console screen. Logged in as root, enter the command:

When the descktop (fluxbox if using the default) initialization is complete, right-click the mouse to display the main menu. Select the XShells -> XTerm menu option and an xterm window is displayed.

  1. Database

    To configure the database, enter the following command:

      realeyes_db_config

    There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

    Several user IDs and passwords are set in this script. If each user ID is given a unique password, be sure to keep track of them.

    When the database configuration is complete, it can be tested by logging in to the DBA ID, running the psql program to interact with the database, and displaying Realeyes tables. Note that the configuration defines the alias "rled" to simplify starting the psql program using the realeyesDB database schema.

      su - redba
      rled
      (Enter DBA database password)
      select * from users;
      select * from roles;
      \q
      exit

  2. User interface

    There is no configuration script for the user interface. However, some initial configuration using the user interface needs to be done before the DBD can be started. The database must be configured and running for the login to be successful. To start the user interface, enter the following command:

      realeyesgui

    The login window will be displayed and all of the fields must be filled in:

    • Username: readmin or site substitute
    • Password: created during the database configuration
    • Server: the hostname of the machine running the database
    • Database: realeyesdb

    If successfully logged in, all fields except the password can be set from the menu selection Edit -> Preferences.

    The initial information that must be defined, in the order that it must be defined is found in the following menu selections:

      Admin -> Tables -> Points of Contact
      Admin -> Tables -> Sites
      Admin -> Tables -> Hosts

    When the Save button is clicked for any entry, the information is immediately saved in the database and available for use. However, windows that build popup menus of selections from database information do not have these automatically refreshed, so each of the above should be opened after the previous one has been completed.

  3. Database daemon (DBD)

    To configure the DBD, enter the following command:

      realeyes_dbd_config

    There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

    Note that some selections must be coordinated with the database configuration and others with the IDS configuration.

    In particular, ports may be configured for both connections, but note that if the IDS data and control ports are changed, it affects all IDS sensors.

    Encryption between the DBD and the IDS is unnecessary if both are on the same host. Otherwise, it is strongly recommended. The private key and certificate is generated on the DBD and copied to each IDS sensor host during that configuration.

  4. Intrusion detection system (IDS)

    To configure the IDS, enter the following command:

      realeyes_ids_config

    There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

    NOTE: If the disk partitioning includes an IDS data directory, set the Spooler directory to /data/ids_spooler when prompted.

    Note that some selections must be coordinated with the DBD. Especially note that if the data and control ports are changed from the default, all IDS sensors must use the new values.

    The memory allocation value is a percentage. Therefore, if there is 1G of memory installed, the 33% default will allocate 333M of memory for the IDS. If the IDS is the only application running on the host, this value can be as high as 90%. The following general rules may be applied:

    • IDS only installed: Leave at least 64M for other processes
    • DBD and/or database installed: Use about 50% of the installed memory
    • All four Realeyes packages installed: Use about 33% of the installed memory

  5. To start each component, use the following commands:

    • Database: /etc/init.d/postgresql-version start

      NOTE: This must be running for either RealeyesDBD or RealeyesGUI to start successfully

    • RealeyesIDS: /etc/init.d/realeyes_ids start

      NOTE: It has been observed that the first (and possibly second) time the IDS is started, the operating system fails to initialize shared memory. Once it starts working, the problem is not seen again, even after reboots.

    • RealeyesDBD: /etc/init.d/realeyes_dbd start

    • RealeyesGUI:

      • Linux: realeyesgui
      • Windows: Find the Realeyes application in the Start menu and double click on it

  6. Sample rules

      To test the installation, download the sample rules package. Extract it with the command:

        tar xzf package

      Follow the instructions in the README file.

IV. De-installation

If the entire package is to be removed, the database should be cleared, using the following commands: To de-install the packages, use the aptitude program.