Another mailling list problem ?...
Hi folks, I just released Prelude 0.3 which is available for download at : http://perso.mandrakesoft.com/~yoann/projects/prelude/download/prelude-0.3.tar.gz Prelude is a Network Intrusion Detection system. It is composed of the Prelude and Prelude Report programs. The first is for packet capture and data analysis, the second, for reporting attacks in a user readable form. Other important and current features of Prelude are an IP defragmentation stack and detection plugins with persistant state. See below for more details. Credits for this release : - Jeremie Brebec <[EMAIL PROTECTED]>, - Mathieu Toussaint <[EMAIL PROTECTED]> - Laurent Oudot <[EMAIL PROTECTED]>, for adding OpenSSL support to Prelude / Prelude report. - Odile Darmet <[EMAIL PROTECTED]>, for helping me with HTML output (htmlmod), and for being patient with me while I was doing computing late at night. :) Future Prelude release will include a signature engine which is able to read Snort ruleset (currently in development but not mature enough to make it in this release) which is developed by Jeremie Brebec <[EMAIL PROTECTED]>. This engine is way faster than the Snort one for matching packet, we do about 20 test compared to 200 - 250 with Snort in order to discard the same packet. (It would be very hard to write this using a O notation because of the design difference between Prelude and Snort signature engine). The engine also behave differently when a signature is matched : - Snort : Don't try to match other signatures. - Prelude : Try all signatures (this is optimised as signatures are sorted in a binary tree). We believe that the way Prelude behave is more reliable, as it prevents an attacker from hiding a serious attack just by making the packet match a signature located before and which isn't harmful. *** The following feature have been integrated (note that I probably forgot some) : * On demand SSL authentication / encryption between Prelude client and the Report Server. * Html reporting plugin. * Prelude Report Server optimisation, try to not duplicate operation between report plugins. * Prelude Report now use getopt_long. * Prelude Backup interface was completly reworked, and now work. * Use sendfile under Linux, after recovering the connection, to send the report. * Possibility to keep the private Prelude / Prelude Report key unencrypted, to avoid to enter a password each time you start one of them. (especially bothering when they are automatically started at boot). * Negotiation between client and server for usage of : - XDR. - SSL. * Prelude can now compile without SSL/XDR. * Prelude *should* now compile on BSD / Solaris. * Redesigned the Plugin Option interface. * All plugin now at least have enable / disable option and can be configured throught the config file. * Use writev() when possible when writing data to Prelude Report, this avoid multiple write() call. * Use poll() instead of select() in several place, to avoid the set gestion overhead. *** Bugfix *** * Set SO_REUSEADDR option on inet socket (avoid address already in use error). * Prelude Report now test if the UNIX socket exist and *is* connected to know if it should start a new server or simply exit. (This was preventing Prelude Report to start after it got killed). * Ip defragmentation stack wasn't working in stock 0.2 release. * A possible configuration engine segfault. * Asynchronous thread should *not* call the EPIPE handler itself. - This was making connection recovering impossible. * Bug that prevented to detect the interface layer to use. (Couldn't work for other thing than EN10MB). * And a lot of other bugfix. -- Yoann Vandoorselaere | Repartee is something we think of twenty-four hours too MandrakeSoft | late. -- Mark Twain
-- Yoann Vandoorselaere | Start the day with a smile. After that you can be your MandrakeSoft | nasty old self again.