Prelude Specifications¶
Table of Contents
General Overview¶
- Prelude is a Universal SIM system: it collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
Prelude is a SIM (Security Information Management) system: it performs reporting on historic data
Prelude is a SEM (Security Event Management) system: it performs real time monitoring
Prelude is a SIEM (Security Event and Information Management) system: it performs reporting on historical data as well as real-time monitoring
Prelude is a Network and System Management solution (Hybrid IDS): it monitors both network-based and host-based security systems
Prelude is a Multi-sensor system: it collects data from an unlimited number of heterogeneous sensors deployed on the whole infrastructure
- Prelude is software based
Operating Systems supported by Prelude: Linux, OpenBSD, FreeBSD, NetBSD, Sun/Solaris, MacOSX, Tru64, and more generally most UNIXes systems
- Prelude is open source: it is released under GPL License
Prelude has been developed using C
Prelude Web Interface has been developed using Python
Prelude correlation engine rules has been developed using Lua
Architecture¶
- Prelude is a distributed solution: it supports hierarchical deployments in distributed environments
Prelude permits alert collection to WAN scale, whether its scope covers a city, a country, a continent or the world
There is no limitation on the number of locations Prelude can collect data from
Prelude incorporates the notion of authority. This makes possible to configure the system so that, for example, a NOC can collect all the alerts transmitted by subsidiaries located at lower authority levels
- Prelude is a high availability system: it ensures operational continuity (Failover system, Redundant Networks support)
- Prelude is able to handle more than 10.000 eps (events per second)
Data Processing¶
Data Collection and Normalization¶
- Data Sources
Prelude is "agentless": it depends on no single brand or format and is capable of analyzing any type of log (system logs, syslog, flat files, etc.)
Prelude also benefits from a native support with a number of systems: Snort, Samhain, OSSEC, AuditD, Nepenthes, NuFW, Linux-PAM, SanCP, etc.
- Normalization
Data collected by various sensors are normalized to Intrusion Detection Message Exchange Format (IDMEF)
Raw data are kept when possible (The Prelude-LML log analyzer keeps the original data - The Snort NIDS keeps the raw packet data that triggered a rule, etc.)
Data Classification and Filtering¶
- Data Classification
Data are enriched with some specifics information. Example: classification of addresses in either IPv4 or IPv6
- Data filtering
Data are filtered through different types of filters: limitation, thresholding, IDMEF events fields (Creation of filters based on IDMEF fields)
Data can be filtered at different levels: collection, processing and visualization
Data Transport¶
Data transport is encrypted (SLL), authenticated (X509 certificate), and reliable
Data transport occurs over a single defined port which can be changed
Caching is available to protect against network outages: failover system
All alerts are always transmitted as they are generated. The concentrator will schedule processing of the received events depending on their severity and their source agent, which is very useful in case of events burst.
Reverse Relaying allows "best practice" communication in DMZs: A concentrator is able to take the initiative and to communicate with another concentrator in order to fetch the data held by it.
Data Retention¶
Collected data are stored in a central place. Three databases are supported: MySQL, PosgreSQL, SQLlite (depending on the database backend, data could be stored on a SAN)
Using scheduled crontab jobs, it is possible to define retention policies for how long data should be online as well as archived for later re-activation
Monitoring¶
- Prioritization
Collected events are prioritized through different factors: The severity of the events, the agent sending the information
The prioritisation process is customizable
- Asset Model
Prelude supports the modelling of Assets
Assets defined through the interface contain values that can be associated with any IDMEF fields. Example: you can define an asset with the name DMZ, containing the value IP1 || IP2 || IP3 || IP4. (This DMZ asset can be used as a filter)
Correlation¶
- Rule based correlation
Prelude supports rule-based correlation in real-time. It comes with rules for correlation out of the box which can be customized
Correlation rules are fully customizable
Prelude permits to create alerts based on: one or several similar events ; events from different data sources ; events coming into Prelude over a longer time frame
It is possible to include into the correlation: information about session history and geographical information
Prelude offers data discovery functionality based on historical data
- Statistical correlation
Prelude support statistical correlation in real time
Statistical correlation is fully customizable
- Actions
Prelude is able to send out alerts based on the result of correlation. Correlation Alerts are sent to the concentrator
Any notification scheme supported by the concentrator can be used. Example: Email, Database, XML IDMEF output, flag log file, etc.
Prelude is able to call external applications/scripts based on the result of a correlation
Reporting¶
Prelude offers reporting based on data in the data store
Prelude comes with reports out of the box which can be customizable
Prelude supports different output formats: Email, Database, IDMEF XML, Flat logfile
Visualization¶
- General
Prelude supports real-time visualization of data. The Prelude web GUI provides automatic reloading of the event listing
The Prelude web GUI supports a number of browsers: IE, Firefox, Opera, Konqueror, Safari, webkit based browser
Prelude comes with visualization views out of the box which can be customizable
- User Interface
Prelude comes with a per user permission functionality
Prelude support strong authentication A compl�ter
Prelude support the integration into LDAP for authentication
- Administration
It is possible to administer, maintain and partially configure Prelude from the web GUI
Sensor monitoring and Remote sensor management are available on the Prelude Web GUI
Maintenance¶
Upgrade/Update of the central components and data repository is possible in an easy documented way
Operational Aspects¶
- Agent development tool: the "Libprelude" library offers a programming interface (API) that facilitates the development of new sensors
- Advanced Ticketing System integrated into the Prelude web GUI
- Countermeasures through use of installed sensors (Snort Inline, OSSEC, etc.)
- Legal enquiry tools: Storage of events, Whois, Traceroute
- Services: Customization, deployment, technical support, user training...