'[prelude-announce] [ANNOUNCE]: Prelude Hybrid IDS suite 0.9.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-announce
Subject:    [prelude-announce] [ANNOUNCE]: Prelude Hybrid IDS suite 0.9.0
From:       yoann.v () prelude-ids ! com (Yoann Vandoorselaere)
Date:       2005-09-20 14:11:59
Message-ID: 1127218313.11208.129.camel () localhost
[Download RAW message or body]

After several years of development, the Prelude team is pleased to
announce the public release of version 0.9.0 of the Prelude Hybrid
Intrusion Detection System.


________________________________________________________________________

------[ What is Prelude Hybrid IDS ? ]------

Prelude was born from the observation that more and more IDS systems
exist each with their own focus, but no framework exists in order to
unify and centralize events provided by these different systems.

We believe that relying on a single source of information in order to do
security analysis is not sufficient, since different analysis methods
have different advantages, and that unifying these methods in a strong
and powerful product is the only way to produce a comprehensive security
analysis tool.

Prelude is a Hybrid IDS framework, that is, a product enabling all
security applications, be it open-source or proprietary, to report to a
centralized system. In order to achieve this task, Prelude relies on the
IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that
enables different kinds of sensors to generate events using a unique
language.

Prelude provides a C, Python, and Perl framework so that you can convert
existing security applications to use the Prelude Framework. It also
provides sensors such as a log analyzer (Prelude-LML). A Prelude sensor
is a program which has the ability to use the Prelude Framework.

Prelude benefits from its ability to find traces of malicious activity
from different sensors (Snort, honeyd, Nessus Vulnerability Scanner,
Samhain, hundred of systems logs, and many others) in order to better
verify attack vectors and in the end to perform automatic correlation
between the various events.

Prelude is licensed under the terms of the GNU General Public License
version 2 and is available from http://www.prelude-ids.org/. PreludeIDS
Technologies provides commercial licenses of software libraries
?Libprelude? & ?Libpreludedb?, in order to enable the developement of
interoperable proprietary solutions.



------[ Commercial Support ]------

The PreludeIDS Technologies company, which develops the Prelude
Intrusion Detection System, provides corporate level support and
development. While providing the core components of the system under the
Open Source development model, it also offers additional products and
custom development geared to the needs of larger corporate clients.

The company, already present in many types of industries, is
particularly focused on providing expertise regarding ID&P (Intrusion
Detection and Prevention) for medium to large sized infrastructures
(multinational, telecoms, etc), entities handling highly confidential
data (military, banks, etc) and networks with remote access (e-learning,
telecommuting, etc.)

Today, in close cooperation with its worldwide Certified Partners,
PreludeIDS Technologies brings its Prelude expertise via a broad range
of products and services:

- PrewikkaPro professional front-end (including advanced ticket system,
remote sensor management and graphical fully interactive statistics).
- Increased database performance for corporate users. 
- Commercial licenses for Prelude library. 
- Prelude system customization. 
- Software maintenance and technical support. 
- Deployment, Integration.
- Consulting, Training, etc.


See http://www.prelude-ids.com for more information.



------[ What's new in 0.9 ? ]------

This list covers the important axes of developments of Prelude-IDS 0.9.
It is however far from being exhaustive.


*** Prelude Framework:

The Prelude framework has been stabilized, and a lot of consistency work
has been going on. The C API should remain stable at this point, and we
now offer Python and Perl bindings for interacting with Prelude.

C++ applications should now compile with the library. New and powerful
API like idmef-path (defining a path within an IDMEF message tree,
assigning/retrieving it) and IDMEF criteria filtering has been
introduced.

-  We spent a lot of time working closely with the IDWG getting missing
IDMEF features implemented. The result of this work is available in
IDMEF v14, which we are compliant with.

-  Support for IDMEF optional integer. 
-  Message routing across distributed Manager for remote sensors
administration.

-  The failover subsystem, used when the communication with a
Prelude-Manager goes down, now supports transactions and quotas.

-  Unique message identifier are now generated on the sender (not by the
routing managers) side, and fully optional per IDMEF specifications.

-  Full IPv6 support for client/manager connectivity.

-  Use GnuTLS instead of OpenSSL. Authentication is now always done
through TLS, and the encryption later can be dropped if the connection
is local. Usage of a single tool for sensor registration using SRP
(Secure Remote Password protocol).

-  Allow multiple analyzer instance through the use of profiles.

-  Enhanced portability (we should now build successfully on
architecture such as Tru64/AIX).

-  The default analyzer heartbeat rate was increased. 




*** PreludeDB Framework

The PreludeDB Library provides an abstraction layer upon the type and
the format of the database used to store IDMEF alerts.

It allows developers to use the Prelude IDMEF database easily and
efficiently without worrying about SQL, and to access the database
independently of it?s type and format.


*** Prelude-Manager: Collects and normalizes vents.

The Prelude-Manager is a high-availability server which collects and
normalizes events from distributed sensors.

It provide the ability to relay received events to one or several other
prelude-manager servers. Filtering received events is possible so that
you can hook actions to specific events.

Clients using libprelude can now request copies of alerts from a
Manager. Additionally, Prelude-Manager will backup alerts received while
a ?querying? analyzer was offline and emit them once reconnected.

-  New permissions system, allowing control of authorized client
operations.

-  Support for failover at the Report plugin level, allowing for
example, to setup a failover if one of the report plugins fails
(example: if the database used by a report plugin goes down).

-  Improved scheduler fairness across different sensors.

-  Allow loading of multiple instances of the same plugin, the Manager
can now report to an unlimited number plugin instances (example: you can
now have multiple database).

-  Modular filtering system, allowing to define IDMEF criteria, and to
bind action to be issued when an event match theses rules.

-  Use libpreludedb for database reporting. 
-  Support plugin dl-preopening on platform without dlopen() or dlsym().


*** Prelude-LML: Log analyzer, Syslog events collector.

Prelude-LML is an high performance signature based log analyzer
monitoring logfile and syslog received messages for suspicious activity.
It handles events generated by a large set of components, including but
not limited to: BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw,
Nokia ipso, Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM,
Portsentry, Postfix, Proftpd, ssh, etc.

Prelude-LML achieves a very high EPS threshold, supperior to some
commercial offerings, on low end hardware.

-  Handles the whole IDMEF object set. 
-  Supports any log format through the use of PCRE. 
-  Support for multiple/optional regular expressions. 
-  Supports jump/optional jump between different rules.

-  New rules for: Arbor Networks Peakflow system, Dell OM, Shadow Utils,
Modsecurity, Netscreen, P3Scan, Tripwire, ClamAV, Sendmail, Tripwire,
APC Environmental Monitoring Unit, CISCO PIX, Cisco VPN Concentrator,
Microsoft SQL Server, PAM, pcAnywhere, Oracle, Webmin, Wu-Ftpd,
Systrace, identd, arpwatch, pure-ftpd, Apache, Dlink, SeLinux.

-  Per log file ruleset are now possible. 
-  Support plugin dl-preopening on platform without dlopen() or
dlsym(). 
-  Optimization work.


*** Prelude enabled Snort 2.4.1 / Prelude NIDS:

One of the important advancements in this release is that we deprecated
Prelude-NIDS in favor of using Snort as our default NIDS sensor.

We believe that today, there is no reason to spend time working on
another NIDS sensor when Snort already exists and already provides the
functionality we need.

As of version 2.4.0 vanilla Snort distribution includes Prelude support.
You can get Snort from http://www.snort.org


*** Prewikka: The Prelude-IDS console.

Prewikka is a professional looking application providing advanced
features like contextual filtering, aggregation, etc. Prewikka is a
large step forward compared to Piwi.

Prewikka also encorporates access to advanced filters and various
network tools. As well as user management and heartbeat monitoring for
sensors.

Prewikka creates an intuitive front-end for the Prelude Framework.



------[ Documentation ]------

The Prelude Handbook is a collaborative effort trying to come up with a
complete Prelude-IDS documentation covering architecture, installation,
and configuration instruction.

It is the most up-to-date documentation at this time, and cover
Prelude-IDS 0.9.
https://trac.prelude-ids.org/wiki/PreludeHandbook



------[ Downloading ]------

All component of the Prelude hybrid IDS suite 0.9.0 can be
downloaded from our website:
http://www.prelude-ids.org/rubrique.php3?id_rubrique=6

Support for Prelude 0.9.0 is upcoming for Sancp, SHADOW, and Mwcollect.

http://prelude-ids.org/download/releases/libprelude-0.9.0.tar.gz
http://prelude-ids.org/download/releases/libprelude-0.9.0.tar.gz.sig
http://prelude-ids.org/download/releases/libprelude-0.9.0.tar.gz.md5

http://prelude-ids.org/download/releases/libpreludedb-0.9.0.tar.gz
http://prelude-ids.org/download/releases/libpreludedb-0.9.0.tar.gz.sig
http://prelude-ids.org/download/releases/libpreludedb-0.9.0.tar.gz.md5

http://prelude-ids.org/download/releases/prelude-manager-0.9.0.tar.gz
http://prelude-ids.org/download/releases/prelude-manager-0.9.0.tar.gz.sig
http://prelude-ids.org/download/releases/prelude-manager-0.9.0.tar.gz.md5

http://prelude-ids.org/download/releases/prelude-lml-0.9.0.tar.gz
http://prelude-ids.org/download/releases/prelude-lml-0.9.0.tar.gz.sig
http://prelude-ids.org/download/releases/prelude-lml-0.9.0.tar.gz.md5

http://prelude-ids.org/download/releases/prewikka-0.9.0.tar.gz
http://prelude-ids.org/download/releases/prewikka-0.9.0.tar.gz.sig
http://prelude-ids.org/download/releases/prewikka-0.9.0.tar.gz.md5



------[ MD5SUM ]------

95fe75b77b8be8992bc87274d6e2283a  libprelude-0.9.0.tar.gz
ea644bd5487e020fdea539c6ad2242d4  libpreludedb-0.9.0.tar.gz
c847bd9ae8fc497cf8f7cd1c4c5f0aa2  prelude-manager-0.9.0.tar.gz
ff875d0e654a89d54ec2200acc847d2d  prelude-lml-0.9.0.tar.gz
17c857dd365cb0fe8b9c1d69a4960c89  prewikka-0.9.0.tar.gz



------[ OpenPGP key ]------

gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 0x23D2FAC3



------[ Credits for this release ]------ 
________________________________________________________________________

-  Frank van Vliet (bugfix, auditing, Sancp sensor) 
-  Gene Gomez (LML rulesets) 
-  Herv? Debar (IDMEF work/support, libpreludedb) 
-  Jascha Dub 
-  Krzysztof Zaraska (Libprelude, Libpreludedb) 
-  Markus Alkio - Citadec (Prewikka) 
-  Mickael Profeta (Debian packages) 
-  Miika Keskinen - Citadec (Prewikka) 
-  Nicolas Delon (Libprelude, Libpreludedb, Prewikka) 
-  Rob Holland (Prelude LML, Prewikka work) 
-  S?bastien Tricaud (Documentation work, Database) 
-  Yoann Vandoorselaere (Libprelude, Libpreludedb, Prewikka,
Prelude-LML, Snort sensor, Prelude-Import, Prelude-Manager). 
-  Anyone we may have forgotten.


------[ Others contributors ]------

-  Cedric Foll (Database delete optimisation) 
-  Daniel Black (Prewikka ?root prefix installation option) 
-  Davor Ocelic (libpreludedb) 
-  Fr?d?ric Motte (Criteria parser escaping fixes) 
-  Ga?l Girard (Artwork) 
-  James A.Overton (Prewikka Safari rendering fixes) 
-  Jochen Schlick Ga?l Girard (bugfix Artwork) 
-  Nikos Mavrogiannopoulos (GnuTLS help) 
-  Rodolphe Ortalo (bugfix) 
-  Simon Josefsson (GnuTLS help) 
-  Sylvain Gil (Prewikka MacOSX module loading) 
-  Vincent Deffontaines (Nagios ruleset update) 
-  St?phane Loeuillet 
-  Yann Droneaud (Autoconf work)


-- 
Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
http://www.prelude-ids.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic