[RFC] Prelude, Honeypot, and mwcollectd on Ubuntu

[John Moser]

As a self-assigned task at my place of employment I've been
investigating Prelude, honeypots, malware collection, host intrusion
detection systems, integration of intrusion detection systems like
Snort, integration of Linux systems with Active Directory domains, and
the like.

I would prefer not to discuss too much specific information about my
employment or our network, as my employer is rather high-profile.  I
will say that I am effectively fighting political pressure, as these
tasks are "interesting" to management but are very shaking and would
invalidate and replace a lot of our current related infrastructure;
and I am researching things I know will never happen (such as exchange
integration for Linux desktops-- unless someone at Cannonical wants to
seriously work with me on fully internal network integration and
management, we will NEVER run Linux desktops here).

At any rate, I have found some rough edges installing Prelude, nothing
major or hard to fix though.  I've also found that mwcollectd isn't a
part of Ubuntu.  Finally, Ubuntu 8.04 has Snort 2.7; Snort 2.8 is in
8.10 of course, this is not a problem.

What I would like to do is get enough packages in Ubuntu Universe to a
useful state to accomplish several tasks.  These include:

 - A Prelude-manager concentrator and Prewikka interface
 - Prelude-LML monitoring various logs
 - HoneyD running various personalities
 - mwcollectd running
 - snort running
 - ossec running

There are some other things not needed for me, but also interesting;
in particular, Argos (a Qemu modification that detects attacks).

Any thoughts?  Should I just file bugs on rough edges and lobby for
mwcollectd inclusion?  Much of this already functions (Prelude works
pretty well, HoneyD is included, Snort works well).