Prelude - http://www.prelude-ids.org by Yoann Vandoorselaere Prelude is a general-purpose hybrid intrusion detection system, written entirely from scratch, in C. Prelude is divided into several parts: * The NIDS sensor, Prelude, responssible for packet capture and analyzis, - The signature engine, designed to be the completly generic and evolutive, it is currently able to read Snort rulesets. By simply adding parser, it should permit to load rulesets from any NIDS. - a series of intrusion detection plugins, each dedicated to a particular kind of attack started by Prelude, - a series of protocols plugins, each dedicated to decoding one, high level protocol. * The report server, a server which Prelude contacts in order to report an intrusion, which generate user readable report using plugins. - a series of reporting plugins, each dedicated to making user readable report (html, syslog, xml, ...) The interesting part is plugins: you can write your own, dedicated to a special intrusion detection that you know of and share it with others. For example, bundled with the source is a plugin to detect SYN flooding attacks. There is more, and you can write more. Moreover, plugins are only called when necessary. For example, Prelude won't call the aforementioned plugin when it receives a TCP packet which hasn't got the SYN flag set, nor will it call it if it receives an ICMP packet. Prelude does take care of IP fragmentation. It works as follows: when Prelude receives a fragmented packet, it will add it to the defragmentation stack. It stores subsequent fragments of the same packet in the stack until it receives the last one. The original packet is then reassembled and passed on to the intrusion detection plugins. Note that all packets, at a fragmented state *and* at a defragmented state will be analyzed for security problem. This allows for detection of IP fragmentation attacks, for example. Prelude also decode TCP/IP options. - COPYRIGHT Copyright (C) 1998-2001 Yoann Vandoorselaere All Rights Reserved This file is part of the Prelude program. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. - CREDITS Some code from the packet handling portion of Prelude was taken from Tcpdump. See the CREDITS file for a list of persons working on the Prelude Project. - PORTABILITY * Linux (ppc, sparc32, alpha, x86). * Should compile on Solaris and FreeBSD.