Re: Snort & Prelude

[Krzysztof Zaraska <kzaraska () student uci agh edu pl>]

On 31 May 2002 16:32:45 +0200
counter.spy () gmx de wrote:

> Hi folks,
> on focus-ids () securityfocus com a special mail caught my eye, 
> regarding the prelude IDS.
>
> Has anybody already implemented a multi-tiered, distributed IDS
> infrastructure combining snort and prelude? 

I am not aware of any working implementation of such system, however this
is technically possible. Some time ago I was experimenting with combining
Snort and Prelude and achieved some success. 

Basically the concept is to write a logging module for Snort which
communicates with Prelude sending it alerts in its format. Once the alert
is injected into Prelude's messaging system it will be processed like
alerts generated natively by Prelude, so no further modifications are
necessary. 

Unfortunately due to the lack of free time I was unable to fully implement
all needed features, but the code I currently have can be viewed as a
proof-of-concept. Please mail me privately if you want more information. 

Regards,
Krzysztof

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// Prelude IDS: http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//              -- Stanislaw Lem





_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users