[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-announce
Subject: [Prelude-announce] [ANNOUNCE] Prelude Hybrid IDS suite 0.9.0-rc1
From: yoann () prelude-ids ! org (Yoann Vandoorselaere)
Date: 2005-03-30 3:31:41
Message-ID: 1112146458.14879.219.camel () arwen ! prelude-ids ! org
[Download RAW message or body]
After several years of development, the Prelude team is pleased to
announce the public release candidate 1 of version 0.9.0 of the Prelude
Hybrid Intrusion Detection System.
------[ What is Prelude Hybrid IDS ? ]------
Prelude was born from the observation that more and more IDS system each
with their own specialism have been made available, but that no
framework exist in order to unify and centralize events provided by
these different systems.
We believe that relying on a single source of information in order to do
security analysis is not sufficient since different analysis methods
have different advantages, and that unifying theses methods in a strong
and powerful product is the only way to produce a stronger security
analysis tool.
Prelude is a Hybrid IDS framework, that is, a product enabling all
security applications, be it open-source or proprietary, to report to a
centralized system. In order to achieve this task, Prelude relies on the
IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that
enables different kind of sensors to generate events using an unique
language.
Prelude provides a C, Python, and Perl framework so that you can convert
existing security application to use the Prelude system. It also
provides sensors such as a log analyzer (Prelude-LML). A Prelude sensor
is a program which has the ability to use the Prelude framework.
Prelude benefits from its ability to find traces of malicious activity
from different sensors (Snort, honeyd, Nessus Vulnerability Scanner,
Samhain, hundred of systems logs, and many others) in order to better
verify an attack and in the end to perform automatic correlation between
the various events.
Prelude is licensed under the terms of the GNU General Public License
version 2 and is available from http://www.prelude-ids.org/
------[ Commercial Support ]------
PreludeIDS Technologies is a software company specializing in security.
It develops, supports and markets the open source Prelude hybrid IDS
system world-wide.
We provide Functionality enhancements, Technical support, Commercial
license, Training and Consultancy.
See http://www.prelude-ids.com for more information.
------[ What's new in 0.9 ? ]------
This list covers the important axes of developments of Prelude-IDS 0.9.
It is however far from being exhaustive.
*** Prelude Framework:
The Prelude framework has been stabilized, and a lot of consistency work
has been going on. The C API should remain mostly stable at this point,
and we now offer Python and Perl bindings for interacting with Prelude.
C++ applications should now compile with the library. New and powerful
API like idmef-path (defining a path within an IDMEF message tree,
assigning/retrieving it) and IDMEF criteria filtering has been
introduced.
- We spent a lot of time working closely with the IDWG getting missing
IDMEF feature implemented. The result of this work is available in IDMEF
v14, which we are compliant with.
- Support for IDMEF optional integer.
- Message routing across distributed Manager for remote sensors
administration.
- The failover subsystem, used when the communication with a
Prelude-Manager goes down, now support transaction and quota.
- Unique message identifier are now generated on the sensor side, and
fully optional per IDMEF specifications.
- Full IPv6 support for client/manager connectivity.
- Use GnuTLS instead of OpenSSL. Authentication is now always done
through TLS, and the encryption later can be dropped if the connection
is local. Usage of a single tool for sensor registration using SRP
(Secure Remote Password protocol).
- Allow multiple analyzer instance through the use of profiles.
- Enhanced portability (we should now build successfully on architecture
such as Tru64/AIX).
- The default analyzer heartbeat rate was increased.
*** PreludeDB framework:
This is a new library providing an abstraction layer upon the type and
the format of the database used to store IDMEF alerts.
It allows developers to use the Prelude IDMEF database easily and
efficiently without worrying about SQL, and to access the database
independently of it's type and format.
*** Prelude-Manager: Collects and normalize events.
The Prelude-Manager is a high-availability server which collects and
normalizes events from distributed sensors.
It provide the ability to relay received events to one or several other
prelude-manager servers. Filtering received events is possible so that
you can hook actions to specific events.
Clients using libprelude can now request copies of alert from a Manager.
Additionally, Prelude-Manager will backup alerts received while a
'querying' analyzer was offline and emit them when it reconnect.
- New permission system, allowing to control authorized client
operations.
- Support failover at the Report plugin level, allowing for example to
setup a fallback if one of the report plugin fail (example: if the
database used by a report plugin goes down).
- Improved scheduler fairness across different sensors.
- Allow loading of multiple instances of the same plugin, the Manager
can now report to an unlimited number plugin instances (example: you can
now have multiple database).
- Modular filtering system, allowing to define IDMEF criteria, and to
bind action to be issued when an event match theses rules.
- Use libpreludedb for database reporting.
- Support plugin dl-preopening on platform without dlopen() or dlsym().
*** Prelude-LML: Log analyzer, Syslog events collector.
Prelude-LML is a signature based log analyzer monitoring logfile and
syslog received messages for suspicious activity. It handle events
generated by a large set of components, including but not limited to:
BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso,
Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry,
Postfix, Proftpd, ssh, etc.
- Handle the whole IDMEF object set.
- Support any log format through the use of PCRE.
- Support for multiple/optional regular expressions.
- Support jump/optional jump between different rules.
- New rules for: Dell OM, Shadow Utils, Modsecurity, P3Scan, Tripwire,
ClamAV, Sendmail, Tripwire, APC Environmental Monitoring Unit, CISCO
PIX, Cisco VPN Concentrator, Microsoft SQL Server, PAM, pcAnywhere,
Oracle, Webmin, Wu-Ftpd.
- Per log file ruleset are now possible.
- Support plugin dl-preopening on platform without dlopen() or dlsym().
- Optimization work.
*** Prelude enabled Snort 2.3.2 / Prelude NIDS:
One of the important move in this release is that we deprecated
Prelude-NIDS in favor of using Snort as our default NIDS sensor.
We believe that today, there is no reason to spend time working on
another NIDS sensor when Snort already exist and provide the
functionality we need. Instead of this, we now distribute a Snort
version using a Prelude output module. We hope that it will be included
in the vanilla Snort distribution.
*** Prewikka: The Prelude-IDS console.
Originally written by Markus Alkio and Miika Keskinen, it was rapidly
adopted as the new Prelude frontend.
Prewikka is a professional looking application providing advanced
feature like contextual filtering, aggregation, etc. Prewikka is a large
step forward compared to Piwi.
As of now, Prewikka use advanced CSS features and won't work under
Internet Explorer. We'll be working on fixing this ASAP (and any help
would be appreciated).
------[ Enhanced Functionality ]------
The PreludeIDS Technologies company provide a ticket system, remote
configuration capability and advanced navigable statistics for the
Prelude system. Check http://www.prelude-ids.com , or contact
PreludeIDS Technologies for more information.
------[ Documentation ]------
The Prelude Handbook is a collaborative effort trying to come up with a
complete Prelude-IDS documentation covering architecture, installation,
and configuration instruction.
It is the most up-to-date documentation at this time, and cover
Prelude-IDS 0.9.
http://trac.prelude-ids.org/wiki/PreludeHandbook
------[ Downloading ]------
All component of the Prelude hybrid IDS suite 0.9.0-rc1 can be
downloaded
from our website: http://www.prelude-ids.org/rubrique.php3?id_rubrique=6
Support for Prelude 0.9.0 is upcoming in PAM (Pluggable Authentication
Modules) and Samhain.
http://prelude-ids.org/download/releases/libprelude-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/libprelude-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/libprelude-0.9.0-rc1.tar.gz.md5
http://prelude-ids.org/download/releases/libpreludedb-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/libpreludedb-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/libpreludedb-0.9.0-rc1.tar.gz.md5
http://prelude-ids.org/download/releases/prelude-lml-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/prelude-lml-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/prelude-lml-0.9.0-rc1.tar.gz.md5
http://prelude-ids.org/download/releases/prelude-manager-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/prelude-manager-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/prelude-manager-0.9.0-rc1.tar.gz.md5
http://prelude-ids.org/download/releases/Prewikka-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/Prewikka-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/Prewikka-0.9.0-rc1.tar.gz.md5
http://prelude-ids.org/download/releases/snort-2.3.2-prelude-0.9.0-rc1.tar.gz
http://prelude-ids.org/download/releases/snort-2.3.2-prelude-0.9.0-rc1.tar.gz.sig
http://prelude-ids.org/download/releases/snort-2.3.2-prelude-0.9.0-rc1.tar.gz.md5
------[ MD5SUM ]------
077e0dc2c5f0ddc4a2ea4b066735fb6b libprelude-0.9.0-rc1.tar.gz
77829c0d5efa7f82d23d2b32841f6a9c libpreludedb-0.9.0-rc1.tar.gz
6a89c6d4b51299f779a384aef35e4e64 prelude-lml-0.9.0-rc1.tar.gz
ff16b2caaba8675a28f385cc59862b9a prelude-manager-0.9.0-rc1.tar.gz
3f3d0c4cf85056a20a0a88645846c187 Prewikka-0.9.0-rc1.tar.gz
69dc9e90abca4dd134731f6e7fc578a0 snort-2.3.2-prelude-0.9.0-rc1.tar.gz
------[ OpenPGP key ]------
gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 0x23D2FAC3
------[ Credits for this release ]------
- Davor Ocelic (libpreludedb)
- Gene Gomez (LML rulesets)
- Herv? Debar (IDMEF work&support, libpreludedb)
- Jascha Wanger
- Jochen Schlick (bug fix)
- Krzysztof Zaraska (Libprelude, Libpreludedb)
- Markus Alkio - Citadec (Prewikka)
- Mickael Profeta (Debian packages)
- Miika Keskinen - Citadec (Prewikka)
- Nicolas Delon (Libprelude, Libpreludedb, Prewikka)
- Rob Holland (Prelude LML work)
- Rodolphe Ortalo (bug fixing)
- S?bastien Tricaud (Documentation work)
- Simon Josefsson (GnuTLS support)
- St?phane Loeuillet
- Yann Droneaud (Autoconf work)
- Yoann Vandoorselaere (Libprelude, Libpreludedb, Prewikka, Prelude-LML,
Snort+Prelude output, Prelude-Import, Prelude-Manager).
- Anyone I may have forgotten.
------[ Others contributors ]------
- Gael Girard (Artwork)
- Nikos Mavrogiannopoulos (GnuTLS help)
- Simon Josefsson (GnuTLS help)
------[ Companies which supported the project ]------
- Dreamlab
- Digital-Network
--
Yoann Vandoorselaere <yoann@prelude-ids.org>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic