Re: Prelude IDS

From: Oudot Laurent (oudot.laurent@wanadoo.fr)
Date: 05/30/02


Date: Thu, 30 May 2002 15:16:40 +0200
From: Oudot Laurent <oudot.laurent@wanadoo.fr>
To: focus-ids@securityfocus.com

Hi,

Belthrop, Tony wrote :
> Has anyone used Prelude IDS's.

I am currently using it to protect my home network.

> Is it as good as SNORT? Mandrake has a Security ISO that has
> SNORT and Prelude already built into it. I had never heard of Prelude
before I saw the link.

SNORT is a very great opensource NIDS program, but Prelude is not an
NIDS, this is an IDS. So this is not easy to compare them.
Owing to Prelude, you can both make network based and host based
intrusion detection.
For example, suppose you have a network with firewalls, routers,
switches, unices systems, windows systems : it's very difficult to be
able to detect intrusions on the whole architecture and to get a central
point of view of the security state. The goal of Prelude is trying to do
that (really :-))

With prelude you can try to detect intrusions on the network like any
nids would, and you can also parse your logs coming from most of your
hosts or network devices, and finally you can read and browse all alerts
in a web interface.

The concept is simple, you have to deploy sensors (that can make either
network or host based intrusion detection) over your networks, and you
also need a manager (at least one). Discussions between remote sensors
and managers are encrypted using x509 certficates and OpenSSL, in order
to be sure that nobody can read/alter/create alerts.

Prelude is composed of multiple packages :
- libprelude : you need this for every other packages, that's not a
program but a library
- prelude-manager : this is where every alerts will be stocked using the
new alerts' format : IDMEF (see the idwg & ietf work about IDMEF)
- prelude-nids : which is an nids (like snort for example if you really
need to see a comparaison)
- prelude-lml : which is a host based intrusion detection tool (it can
parse local logs or get remote logs like an usual syslog can)
- prelude-php-frontend : which is a web interface for the security
administrators where they can get stats, alerts, etc. That's where you
usually manage alerts.

> Mandrake has a Security ISO that has SNORT and Prelude already built
into it.

Huh on the Mandrake ISO, i think Prelude is the very old version 0.4.2
from last year ; this is NOT with all i said before !
If you need to download the latest (one day of delay) CVS version you
can get it at http://prelude-ids.org/index.php?page=3

>I had never heard of Prelude before I saw the link.

Yeah the prelude-team usually don't have time to make advertising :-)

I hope it'll answer you like you wanted...
Regards,

laurent



Relevant Pages