Prelude-SIEM

Prelude-SIEM is brought to you by CS (http://www.c-s.fr) under GPLv2 license : https://www.prelude-siem.org

Copying and distribution of this library, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind.

For commercial use, if you need another license than GPLv2, please contact CS : contact.prelude@c-s.fr

Prelude-SIEM Overview

Prelude is an agentless, universal, and hybrid security information and event management (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license. Security events are normalized to an IDMEF format, allowing native support with almost all security related event from an IT equipment.

While a malicious user (or software) may be able to evade the detection of a single IDS (NIDS, HIDS, etc.), it becomes exponentially more difficult to get around the defenses when there are multiple protection mechanisms. Prelude comes with a large set of sensors, each of them monitoring different kind of events. Prelude permits alert collection to WAN scale, whether its scope covers a city, a country, a continent or the world.

Prelude claims that it is a SIEM system capable of inter-operating with all the systems available on the market.[3] It is natively compatible with: AuditD, Nepenthes, NuFW, OSSEC, Pam, Samhain, Sancp, Snort, and Suricata but anyone can write its own sensors or utilize some of the 3rd party sensors that are available, given Prelude’s opened APIs and librairies.

Prelude SIEM modules

Prewikka

Overview

Originally written by Markus Alkio and Miika Keskinen, re-written and maintained by Nicolas Delon with the help of Yoann Vandoorselaere and Audrey Girard, on behalf of PreludeIDS Technologies, it was rapidly adopted as the new Prelude frontend.

Prewikka is a professional looking application providing advanced features like contextual filtering, aggregation, etc.

Prelude-Correlator

Overview

Prelude-Correlator allows conducting multistream correlations thanks to a powerful programming language for writing correlation rules. With any type of alert able to be correlated, event analysis becomes simpler, quicker and more incisive.

Prelude-LML

Overview

This is the Prelude-LML log analyzer, collecting events from log files and/or syslog UDP messages.

Prelude-LML-Rules

Overview

Ruleset for pcre LML plugin.

Prelude-Manager

Overview

Prelude-Manager server is the Prelude events collector.

Prelude-Manager is a high availability server that accepts secured connections from distributed sensors or other managers and saves received events to a media specified by the user (database, logfile, mail, etc).

The server is a high availability server capable of handling large number of connections, and processing large amounts of events. It uses a per client scheduling queues in order to process events by severity fairly accross clients.

LibPrelude

Overview

The Prelude Library is used to make sensor developers’ life better by providing features used by every sensor:

  • Manager(s) Connection management (with fallback in case all configured Managers are down, and automatic reconnection).
  • Interface to communicate with the Prelude Manager.
  • Asynchronous Message interface (allowing sensor to emit message without blocking, even if there is latency on the wire).
  • Asynchronous timer interface.
  • Generic configuration API, providing a generic abstraction for command-line, configuration file option, and wide option support.
  • Wide option managment allowing sensor-exported options to be directly accessible from the Manager administrative console.
  • Generic plugin API.

LibPreludeDB

Overview

The PreludeDB Library provides an abstraction layer upon the type and the format of the database used to store IDMEF alerts. It allows developers to use the Prelude IDMEF database easily and efficiently without worrying about SQL, and to access the database independently of the type/format of the database.

How to contribute

IRC

If there’s something you just can’t find out elsewhere, you want to give feedback directly to the authors or you’re just bored, visit #prelude on irc.freenode.net

Get Support

Prelude-user forums can be accessed at:

Old mailing lists can be accessed at:

Commercial Support is available through the CS company:

Help development

Submitting patches

The Prelude source is constantly changing. If you want to submit a patch, please do so from the most recent GIT source tree, subscribe to the prelude-devel forum and post your patch with a description of functionality. You can also attach patches to bugs on

Bugs

If you find any bugs, please report them to:

Please make sure that what you’re reporting is actually a BUG and not a problem on your side.

Suggestions

Post on prelude-devel board and give us your suggestions.

Indices and tables