Support This Project

  1. Reverse Relaying with Prelude
    1. Introduction
    2. Configuration in network Z (child manager)
    3. Configuration in network M (parent manager)
    4. Registering parent manager to child
    5. Restart parent manager

Reverse Relaying with Prelude

Introduction

Reverse relaying can be used in the following situation:

  • you have two (or more) networks, and you want to centralize alerts on one manager
  • you don't want to open ports for all sensors (lml or sensors) between your networks

Network Z (like DMZ) will be the network where the sensors are, network M (like manager) the network where the central manager is.

The solution is to send alerts to a manager in network Z, and register it as a child manager of a manager in network M. This way, you only have to open one port (4690) for one server: the parent manager will connect to the child manager (the direction is important) to retrieve alerts.

Configuration in network Z (child manager)

  • sensors must be configured to send alerts to manager Z
  • manager Z must be configured to listen on an address. Edit /etc/prelude-manager/prelude-manager.conf: 
    listen = y.y.y.y

Configuration in network M (parent manager)

  • Manager M must allow manager Z as a child manager. Edit /etc/prelude-manager/prelude-manager.conf: 
    # in global section
# y.y.y.y is the IP address of manager Z
child-managers = y.y.y.y

Registering parent manager to child

The parent manager must be registered (like any normal sensor) to manager Z.

  • On manager M, run: 
    # prelude-adduser register prelude-manager "idmef:r" y.y.y.y --uid prelude --gid prelude

Don't forget to replace the uid and gid by the one used to run prelude-manager, and y.y.y.y by the IP address of the child manager.

The child manager will wait for the One-Time Password, provided by the parent manager during the registration process.

  • On manager Z, run: 
    # prelude-adduser registration-server prelude-manager

Note: you may have to add the --uid and --gid arguments as well

This will listen for the incoming connection. Check the IP address (it must match the child manager), and copy the One-Time Password (OTP)

  • back to the parent manager, insert the OTP
  • validate the registration on the child manager

For more details, see Registering a sensor on the Prelude Handbook.

Restart parent manager

Restart parent manager. It should connect to the child manager, as the log (usually, /var/log/syslog) will show (on the parent): 

Jun 26 20:06:30 prelude prelude-manager: - Connecting to y.y.y.y:4690 prelude Manager server.
Jun 26 20:06:30 prelude prelude-manager: - TLS authentication succeed with Prelude Manager.

On the child manager: 

[x.x.x.x:37855 0x881f14603b460 idmef:r]: TLS authentication succeed: client certificate is trusted.
[x.x.x.x:37855 0x881f14603b460 idmef:r]: client requested forward of IDMEF message.

where x.x.x.x is the IP address of the parent manager.