ANNOUNCE: Prelude Reporting Patch for Snort

From: Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl)
Date: 08/09/02


Date: Fri, 9 Aug 2002 17:30:04 +0200
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: prelude-user@prelude-ids.org


Prelude Reporting Patch for Snort 1.8.7 and 1.8.6
=================================================

The Prelude Development Team (http://www.prelude-ids.org/) is proud
to announce the availability of the experimental patch for Snort
(http://www.snort.org/) allowing integration between Snort and Prelude
IDS.

Prelude IDS is a modular hybrid intrusion detection system, available
under the GNU GPL licence. An interesting feature of Prelude is the
IDMEF-based messaging system allowing exchange of alerts between the
components of the system. The design of the messaging system allows
integration with third-party applications by making them capable of
sending alerts in the common format using the libprelude library. This
provides the capability of centralized processing and logging of alerts
emmited by various sensors, both host- and network based.

Although Prelude is equipped with it's own NIDS component (Prelude-NIDS)
due to widespread usage of Snort we have decided to try to provide the
capability of using Snort along with other Prelude components.

Technically speaking our patch adds a new output module for
Snort, which handles sending alerts to Prelude Manager, using the
functionality provided by libprelude, such as SSL-based connections and
asynchronous(threaded) I/O handling. It must be noted that the patched
Snort will work only on systems that are capable of running libprelude.

This release is considered by us to be experimental, i.e. it may be not
complete and stable enough for production usage. If you however want to
try it at your own risk, you are welcome.

Currently, patches are available for Snort version 1.8.7 and 1.8.6. It
should be relatively easy to port our patch to any other 1.8.x version.

The patches are available from the Download section of the Prelude
website at http://www.prelude-ids.org/ , as the tarball named
snort-prelude-reporting-patch-0.1.0.tar.gz . The MD5 hash of the tarball
is 5570eaad8efd7eb0191784412b5913da.

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// Prelude IDS: http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem




Relevant Pages

  • Re: Are there any other open sources IDS that not based on snort?
    ... Prelude is not based on the snort architecture, ... I am doing a research on network security concentrating on correlation ...
    (Focus-IDS)
  • Re: Snortcenter, Prelude-IDS
    ... > Do you have any experiences with Prelude? ... You install several snort v2.4.0. ... This version is able to send repport ... So you centralize all your alert and you can visualize them via prewikka ...
    (Focus-IDS)
  • Re: Mandrake MNF
    ... switching on the Snort or Prelude, hung on boot, only way out was reinstall. ... > Mandrake has released the next version of their Single Network Firewall. ...
    (comp.security.firewalls)
  • Re: IDS Opinions
    ... Prelude markets themselves as a framework, ... does quite a bit more than Snort. ... snort-a-like implementations, or they provide their own "complete" ...
    (Focus-IDS)