The Prelude system, and its graphical interface Prewikka in particular, uses several terms that need to be defined. Most of them derive from the IDMEF standard.
Alert (IDMEF)¶A data structure describing a security incident. It contains information about :
- its classification
- the sensor from which it originates
- the time of detection/creation
- the source and the target
- its assessment (impact of the event)
It can be a simple alert or the grouping of related alerts into a "correlation alert".
A message sent in a regular period by analyzers to their attributed manager(s), in order to indicate that they are running.
The lack of some number of consecutive heartbeats means the failure of either the analyzer or its network connection.
The emission source of an alert or heartbeat message.
This definition can be extended to cover not only Prelude agents (Prelude-LML, Prelude-Correlator, Snort, Samhain...) but also services (web server, PAM, ssh, antivirus...) that write in logs instead of emitting alerts.
The destination of an alert or heartbeat message.
The manager can process the received data and for example deliver it to a database. It can also act as a relay, i.e. forward the messages to another manager.
Example : Prelude-Manager
A Prelude client, i.e. a program using libprelude. It can be an analyzer or a manager.
Examples : Prelude-LML, Prelude-Manager...
An equipment that hosts one or several analyzers/managers, identified by a network address or a name.
Example : 192.0.2.1
The physical site of one or several nodes.
Example : Paris