[Snort-users] Snort & Prelude

Krzysztof Zaraska kzaraska at ...5991...
Sun Jun 2 06:48:01 EDT 2002


On 31 May 2002 16:32:45 +0200
counter.spy at ...348... wrote:

> Hi folks,
> on focus-ids at ...35... a special mail caught my eye, 
> regarding the prelude IDS.
>
> Has anybody already implemented a multi-tiered, distributed IDS
> infrastructure combining snort and prelude? 

I am not aware of any working implementation of such system, however this
is technically possible. Some time ago I was experimenting with combining
Snort and Prelude and achieved some success. 

Basically the concept is to write a logging module for Snort which
communicates with Prelude sending it alerts in its format. Once the alert
is injected into Prelude's messaging system it will be processed like
alerts generated natively by Prelude, so no further modifications are
necessary. 

Unfortunately due to the lack of free time I was unable to fully implement
all needed features, but the code I currently have can be viewed as a
proof-of-concept. Please mail me privately if you want more information. 

Regards,
Krzysztof

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// Prelude IDS: http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem








More information about the Snort-users mailing list