Project

General

Profile

Prelude Specifications

Table of Contents

General Overview

  • Prelude is a Universal SIM system: it collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

Prelude is a SIM (Security Information Management) system: it performs reporting on historic data

Prelude is a SEM (Security Event Management) system: it performs real time monitoring

Prelude is a SIEM (Security Event and Information Management) system: it performs reporting on historical data as well as real-time monitoring

Prelude is a Network and System Management solution (Hybrid IDS): it monitors both network-based and host-based security systems

Prelude is a Multi-sensor system: it collects data from an unlimited number of heterogeneous sensors deployed on the whole infrastructure

  • Prelude is software based

Operating Systems supported by Prelude: Linux, OpenBSD, FreeBSD, NetBSD, Sun/Solaris, MacOSX, Tru64, and more generally most UNIXes systems

OS - Hardware Compatibility

  • Prelude is open source: it is released under GPL License
    Prelude has been developed using C

Prelude Web Interface has been developed using Python

Prelude correlation engine rules has been developed using Lua

Architecture

Prelude components

  • Prelude is a distributed solution: it supports hierarchical deployments in distributed environments

Prelude permits alert collection to WAN scale, whether its scope covers a city, a country, a continent or the world

There is no limitation on the number of locations Prelude can collect data from

Prelude incorporates the notion of authority. This makes possible to configure the system so that, for example, a NOC can collect all the alerts transmitted by subsidiaries located at lower authority levels

  • Prelude is a high availability system: it ensures operational continuity (Failover system, Redundant Networks support)
  • Prelude is able to handle more than 10.000 eps (events per second)

Data Processing

Data Collection and Normalization

  • Data Sources

Prelude is "agentless": it depends on no single brand or format and is capable of analyzing any type of log (system logs, syslog, flat files, etc.)

Prelude also benefits from a native support with a number of systems: Snort, Samhain, OSSEC, AuditD, Nepenthes, NuFW, Linux-PAM, SanCP, etc.

Prelude compatibility

  • Normalization

Data collected by various sensors are normalized to Intrusion Detection Message Exchange Format (IDMEF)

IDMEF RFC

Raw data are kept when possible (The Prelude-LML log analyzer keeps the original data - The Snort NIDS keeps the raw packet data that triggered a rule, etc.)

Data Classification and Filtering

  • Data Classification

Data are enriched with some specifics information. Example: classification of addresses in either IPv4 or IPv6

  • Data filtering

Data are filtered through different types of filters: limitation, thresholding, IDMEF events fields (Creation of filters based on IDMEF fields)

Data can be filtered at different levels: collection, processing and visualization

Data Transport

Data transport is encrypted (SLL), authenticated (X509 certificate), and reliable

Data transport occurs over a single defined port which can be changed

Caching is available to protect against network outages: failover system

All alerts are always transmitted as they are generated. The concentrator will schedule processing of the received events depending on their severity and their source agent, which is very useful in case of events burst.

Reverse Relaying allows "best practice" communication in DMZs: A concentrator is able to take the initiative and to communicate with another concentrator in order to fetch the data held by it.

Data Retention

Collected data are stored in a central place. Three databases are supported: MySQL, PosgreSQL, SQLlite (depending on the database backend, data could be stored on a SAN)

Using scheduled crontab jobs, it is possible to define retention policies for how long data should be online as well as archived for later re-activation

Monitoring

  • Prioritization

Collected events are prioritized through different factors: The severity of the events, the agent sending the information

The prioritisation process is customizable

  • Asset Model

Prelude supports the modelling of Assets
Assets defined through the interface contain values that can be associated with any IDMEF fields. Example: you can define an asset with the name DMZ, containing the value IP1 || IP2 || IP3 || IP4. (This DMZ asset can be used as a filter)

Correlation

  • Rule based correlation

Prelude supports rule-based correlation in real-time. It comes with rules for correlation out of the box which can be customized

Correlation rules are fully customizable
Prelude permits to create alerts based on: one or several similar events ; events from different data sources ; events coming into Prelude over a longer time frame

It is possible to include into the correlation: information about session history and geographical information

Prelude offers data discovery functionality based on historical data

  • Statistical correlation

Prelude support statistical correlation in real time

Statistical correlation is fully customizable

  • Actions

Prelude is able to send out alerts based on the result of correlation. Correlation Alerts are sent to the concentrator

Any notification scheme supported by the concentrator can be used. Example: Email, Database, XML IDMEF output, flag log file, etc.

Prelude is able to call external applications/scripts based on the result of a correlation

Reporting

Prelude offers reporting based on data in the data store

Prelude comes with reports out of the box which can be customizable

Prelude supports different output formats: Email, Database, IDMEF XML, Flat logfile

Visualization

  • General

Prelude supports real-time visualization of data. The Prelude web GUI provides automatic reloading of the event listing

The Prelude web GUI supports a number of browsers: IE, Firefox, Opera, Konqueror, Safari, webkit based browser

Prelude comes with visualization views out of the box which can be customizable

  • User Interface

Prelude comes with a per user permission functionality

Prelude support strong authentication A compl�ter

Prelude support the integration into LDAP for authentication

  • Administration

It is possible to administer, maintain and partially configure Prelude from the web GUI

Sensor monitoring and Remote sensor management are available on the Prelude Web GUI

Maintenance

Upgrade/Update of the central components and data repository is possible in an easy documented way

Operational Aspects

  • Agent development tool: the "Libprelude" library offers a programming interface (API) that facilitates the development of new sensors
  • Advanced Ticketing System integrated into the Prelude web GUI
  • Countermeasures through use of installed sensors (Snort Inline, OSSEC, etc.)
  • Legal enquiry tools: Storage of events, Whois, Traceroute
  • Services: Customization, deployment, technical support, user training...