Installing the Realeyes IDS
from Source Code

The source code for Realeyes can be downloaded from SourceForge.

There are four components in five source packages for the Realeyes IDS application:

  1. RealeyesAE and RealeyesIDS are the library and application packages to build the sensor IDS application, which monitors network traffic
  2. RealeyesDB is the collection of database scripts to build the database for storing configuration data and network traffic detects
  3. RealeyesDBD (database daemon) is the interface between the sensor IDS application and the database
  4. RealeyesGUI is the graphical user interface for administering the application and analyzing network traffic detects and may be installed on multiple Linux or Microsoft Windows systems.

The packages can all be installed on a single host, individual hosts, or any combination in between, although several would not make sense.

There are three steps to installing each Realeyes package and one step to deinstallation.

The configuration scripts are run automatically by the installation scripts, but may be run individually if necessary. See the man pages for realeyes_db_config, realeyes_dbd_config, and realeyes_ids_config.

After the installation is complete, see the README files in the system documentation directory (default: /usr/share/doc/package_name) for an explanation of each package.

I. Pre-installation

  1. All of the packages in the Realeyes IDS application except the realeyesGUI application have significant resource requirements in active networks. (The system was beta tested in a network with 3 class B subnets on a 30 Mbps line and used over 600 Meg of RAM during peak hours.) The realeyesIDS application uses up to 90% of the available memory and may use significant disk space if network connections are unreliable.

    The realeyesDB schema for the PostgreSQL database and the realeyesDBD application may also use significant memory and disk space if there are several Realeyes IDS sensors.

    To account for these requirements, the recommended disk partitions are as follows (Option 1 will be sufficient for most installations, but Option 2 is described for those that need it):

    • /swap: 500M - 1G depending on expected traffic
    • /var: 500M

      • Option 1
    • /: Remaining

      • Option 2 (realeyesIDS or realeyesDB / PostgreSQL)
    • /: 1G
    • /data: Remaining

    The /data partition in Option 2 should be defined as follows for the specified packages, BEFORE THE PACKAGES ARE INSTALLED:

    • If installing the realeyesIDS package:

        mkdir /data/realeyesIDS

      Edit the Realeyes.ini file for the RealeyesIDS package (see the installation instructions below) and set:

        IDS_HOME_DIR = /data/realeyesIDS

    • If installing the realeyesDB package:

        mkdir /data/db_data

      Edit the PostgreSQL configuration file, postgresql.conf, which should be found in a directory such as /etc/postgresql or /var/lib/postgres, and set:

        data_directory = data/db_data

  2. The installation shell scripts were developed under Bash and have not been tested under any other shell. It is assumed that Bash is the default shell (/bin/sh).

  3. Each package has prerequisites that must be installed before the package. It is expected that unless otherwise noted, the Linux distribution's package manager can be used to install the dependencies.

  4. If the Realeyes IDS application is installed on a host separate from the rest of the system, then it is expected that there will be two network interfaces, one for monitoring in promiscuous mode, and the other for connections to the Realeyes DBD host and SSH access.

    In this case, both interfaces should be defined to use static IP addresses, with the monitoring interface set to 0.0.0.0. It is advisable to establish a site standard for using the first or second interface for monitoring.

  5. The following user IDs are the defaults created by Realeyes package configuration scripts, but may be modified when the scripts are run:

II. Building and installing the packages

  1. All packages:

    Login as the system superuser and extract each package with the command:

      tar xzf package_name

    NOTE: The RealeyesAE and RealeyesIDS packages must be extracted in the same directory.

    Each package comes with the initialization file, Realeyes.ini, where directories and other information is defined for the installation. This file should be edited to conform to the distribution's and site's standards.

    All initialization files all the same, so a master copy can be created and copied as needed. In fact, if multiple packages are installed on the same host, a single copy of the Realeyes.ini is saved to be used with the deinstallation script

    The initialization file is divided into sections to make it easier to identify the changes that are necessary for a particular installation. The sections and their uses are:

    • SYSTEM DIRECTORIES: These define the standard directory structure of the distribution. The Realeyes application has been successfully installed on Debian (and *buntu) and Fedora without modification to these settings.

    • SYSTEM COMMANDS and CONFIGURATION FILES: These define specific configuration and command locations. Each value should be checked for its correctness. Of special interest:

        KEYTOOL: This is a Java command used to create a list of valid SSL keys and certificates and is only used by the RealeyesDBD package installation.

    • POSTGRES DIRECTORIES and INFORMATION: These define the information for the PostgreSQL installation and is the least likely to be valid for any distribution not based on Debian.

    • REALEYES DIRECTORIES and INFORMATION: These define the directories and user information to be used by the Realeyes applications. Changes are determined by site standards.

  2. Realeyes DB:

    • Start the PostgreSQL database: It is expected that PostgreSQL is installed with an init script in the system init script directory, and starting the database is performed by running this script with the 'start' parameter.

    • Change to the RealeyesDB directory created by extracting the package and run the install script:

        ./db_install.sh

      This will install scripts and documentation in the directories defined in the Realeyes.ini file, and the automatically start the configuration scripts, which are described below.

  3. Realeyes GUI:

    There are three installation methods which all install the same Realeyes directories and files. However, the two GUI installers will also download required files, if desired.

    • Shell script installation for Linux:

      • Change to the RealeyesGUI directory created by extracting the package and run the install script:

          ./gui_install.sh

        This will install programs and documentation in the directories defined in the Realeyes.ini file.

      • The installation script will prompt for the location of the JDBC and SWT archives files listed in the pre-installation section. If all files are in the same directory, then that directory may be entered and all files will be copied to the appropriate location. Otherwise, the path and filename must be supplied for each file.

      • When the installation is complete, a script to start the user interface, realeyesgui, is in the system bin directory defined in the Realeyes.ini file. The configuration procedure is described below.

    • Graphical installer for Windows XP:

      • Install the program using the installation wizard:

          RealeyesGUI-0.9.2-Setup.exe

      • The installer will accept the pre-downloaded PostgreSQL JDBC and/or SWT archive files or download them during the installation. Because the SWT archive file is approximately 40 Megabytes, this makes the installation much quicker if it is to be performed on multiple systems, and if the target hosts have access to a file server, they can be kept there.

      • When the installation is complete, the user interface can be started from the programs menu. If a desktop icon is desired, create it from the menu.

  4. Realeyes DBD:

    • Change to the RealeyesDBD directory created by extracting the package and run the install script:

        ./dbd_install.sh

      This will install programs and documentation in the directories defined in the Realeyes.ini file, and the automatically start the configuration scripts, which are described below.

    • The installation script will prompt for the location of the JDBC and XML files listed in the pre-installation section. If all files are in the same directory, then that directory may be entered and all files will be copied to the appropriate location. Otherwise, the path and filename must be supplied for each file.

  5. Realeyes IDS:

    • Change to the RealeyesAE directory created by extracting the package and build the analysis engine libraries:

        ./configure
        make

    • Change to the RealeyesIDS directory created by extracting the package and build and install the IDS application:

        ./configure
        make
        ./ids_install.sh

    • The 'ids_install.sh' command installs the application files and documentation in the directories defined in the Realeyes.ini file, and automatically starts the configuration scripts, which are described below.

III. Configuring the Realeyes packages

The initial configuration of all Realeyes packages except the user interface is done using scripts.
  1. Realeyes DB:

      To configure the database, the following command is executed:

        realeyes_db_config

      There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

      Several user IDs and passwords are set in this script. If each user ID is given a unique password, be sure to keep track of them.

      The Realeyes user management feature provides administrators the status of users logged into the database. Full functionality of this feature allows administrators to logout users from the user interface. This is provided by database extension functions. Otherwise, users can only be logged out by the DBA from the database host, using the process ID of sessions, which are displayed along with the user IDs.

      When the database configuration is complete, it can be tested by logging in to the DBA ID, running the psql program to interact with the database, and displaying Realeyes tables. Note that the configuration defines the alias "redb" to simplify starting the psql program using the realeyesDB database schema.

        su - redba
        redb
        (Enter DBA database password)
        select * from users;
        select * from roles;
        \q
        exit

  2. Realeyes GUI:

      There is no configuration script for the user interface. However, some initial configuration using the user interface needs to be done before the DBD can be started. The database must be configured and running for the login to be successful.

      To start the user interface on Linux, the following command is executed:

        realeyesgui

      To start the user interface on Microsoft Windows, select the application from the Start -> Programs menu.

      The login window will be displayed and all of the fields must be filled in:

      • Username: readmin or site substitute
      • Password: created during the database configuration
      • Server: the hostname of the machine running the database
      • Database: realeyesdb

      If successfully logged in, all fields except the password can be set from the menu selection Edit -> Preferences.

      The initial information that must be defined, in the order that it must be defined is found in the following menu selections:

      • Admin -> Tables -> Points of Contact
      • Admin -> Tables -> Sites
      • Admin -> Tables -> Hosts

      When the Save button is clicked for any entry, the information is immediately saved in the database and available for use. However, windows that build popup menus of selections from database information do not have these automatically refreshed, so each of the above should be opened after the previous one has been completed.

  3. Realeyes DBD:

      To configure the DBD, the following command is executed:

        realeyes_dbd_config

      There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

      Note that some selections must be coordinated with the database configuration and others with the IDS configuration.

      In particular, ports may be configured for both connections, but note that if the IDS data and control ports are changed, it affects all IDS sensors.

      Encryption between the DBD and the IDS is unnecessary if both are on the same host. Otherwise, it is strongly recommended. The private key and certificate is generated on the DBD and copied to each IDS sensor host during that configuration.

  4. Realeyes IDS:

      To configure the IDS, the following command is executed:

        realeyes_ids_config

      There are explanations of what to expect, and many prompts have a preset default, which is selected by pressing Enter.

      Note that some selections must be coordinated with the DBD. Especially note that if the data and control ports are changed from the default, all IDS sensors must use the new values.

      The memory allocation value is a percentage. Therefore, if there is 1G of memory installed, the 33% default will allocate 333M of memory for the IDS. If the IDS is the only application running on the host, this value can be as high as 90%. The following general rules may be applied:

      • IDS only installed: Leave at least 64M for other processes
      • DBD and/or database installed: Use about 50% of the installed memory
      • All four Realeyes packages installed: Use about 33% of the installed memory

  5. To start each component, use the following commands:

    • Database: /etc/init.d/postgresql_script start

      NOTE: This must be running for either RealeyesDBD or RealeyesGUI to start successfully

    • Realeyes IDS: /etc/init.d/realeyes_ids start

      NOTE: It has been observed that the first (and possibly second) time the IDS is started, the operating system fails to initialize shared memory. Once it starts working, the problem is not seen again, even after reboots.

    • Realeyes DBD: /etc/init.d/realeyes_dbd start

    • Realeyes GUI:

      • Linux: realeyesgui
      • Windows: Find the Realeyes application in the Start -> Programs menu and double click on it

  6. Sample rules

      To test the installation, download the sample rules package. Extract it with the command:

        tar xzf package

      Follow the instructions in the README file.

IV. Deinstallation

The deinstallation script for each package is stored in /etc/realeyes, with the initialization file, Realeyes.ini, which defines the installation directories for the script. This means it is safe for the package source directories to be removed.

Although it is technically allowable to run the script from a directory that it will remove, it is advisable to copy the deinstallation script and the Realeyes.ini file to a temporary location and execute them from there.

To deinstall a package, change to the directory where the script and the Realeyes.ini file are located and run the script:

If the script and Realeyes.ini file were copied to a temporary location, they may be deleted on successful completion of the deinstallation.