Prelude SIEM (Intrusion Detection System)
|Original author(s)||Yoann Vandoorselaere|
|Developer(s)||CS Group C-S|
1.1 / September 24, 2013
|Written in||C, python|
|Operating system||Linux, BSD, Windows|
|License||Proprietary software and GPLv2|
While a malicious user (or software) may be able to evade the detection of a single IDS (NIDS, HIDS, etc.), it becomes exponentially more difficult to get around the defenses when there are multiple protection mechanisms. Prelude comes with a large set of sensors, each of them monitoring different kind of events. Prelude permits alert collection to WAN scale, whether its scope covers a city, a country, a continent or the world.
Prelude claims that it is a SIEM system capable of inter-operating with all the systems available on the market. It is natively compatible with: AuditD, Nepenthes, NuFW, OSSEC, Pam, Samhain, Sancp, Snort, and Suricata but anyone can write its own sensors or use some of the 3rd party sensors available, given Prelude's open APIs and libraries.
Prelude-SIEM compound is a hybrid of two different heterogeneous detectors types :
- a LML enabling the treatment of any type of log file as syslogs or stream
- native compatibility with leading NIDS sensors and open-source HIDS available on the market (e.g. Snort, Suricata, Samhain, etc.) and other types of probes
- 1998 : Creation of an IDS project by Yoann Vandoorselaere
- 2002 : Prelude becomes an Hybrid IDS
- 2005 : Creation of the company Prelude-Technologies
- 2009 : The INL Society acquires Prelude-Technologies
- 2009 : INL become Edenwall Technologies
- 18/08/2011 : Edenwall Technologies is declared for suspended payments, Prelude-IDS software, the company and the brand are on sale.
- 13/10/2011 : CS (Communication & Systems) buy Prelude-IDS
- 23/01/2012 : Opening of the websites : www.prelude-ids.org and www.prelude-ids.com (Now www.prelude-siem.com)
- 06/2012 : Release of the new version Prelude OSS 1.1
- 10/2012 : Release of the new version Prelude Entreprise 1.1
Prelude collects, normalizes, sorts, aggregates, correlates and displays all security events regardless of the types of surveillance equipment. Beyond its capacity for processing of all types of event logs (system logs, syslog, flat files, etc.), Prelude is natively compatible with many anti-intrusion sensors.
Prelude main characteristics are the following:
- Built on an open-source core
- "Agent-less" operation
- Compliant with HTTP, XML, IDMEF standards
- Modular, flexible and resilient
- Hierarchical and decentralized architecture
- Web 2.0 interfaces for operations.
Prelude has been designed in a scalable way to simply adapt to any environment.
The open-source version is composed of the following main modules:
- The manager, which receives and stores alerts into the database
- LibPreludeDB, high speed database insertion module
- Correlator, event correlation module
- LML, Log Monitoring Lackey module
- Prewikka, the web Graphical User Interface (GUI)
Prelude is available in three versions:
- Prelude OSS: free, public and open-source version (GPLV2) for small IT Infrastructures, tests and educational purposes
- Prelude SIEM: scalable, professionally usable and high performance version of Prelude, for real-world environments
- Prelude SOC: fully scaled version, mainly for SOC (Security Operations Center)usage