Prelude - http://www.prelude-ids.org
by Yoann Vandoorselaere <yoann@prelude-ids.org>

Prelude is a general-purpose hybrid intrusion detection system, 
written entirely from scratch, in C. Prelude is divided into several parts: 

* The NIDS sensor, Prelude, 
  responssible for packet capture and analyzis,

	- The signature engine,
	  designed to be the completly generic and evolutive, it is currently
	  able to read Snort rulesets. By simply adding parser, it should 
	  be able to load rulesets from any NIDS.

	- a series of intrusion detection plugins, 
  	  each dedicated to a particular kind of attack detected by Prelude, 

	- a series of protocols plugins,
  	  each dedicated to decoding one high level protocol.

* The report server, 
  a server which Prelude contacts in order to report an intrusion,
  which generates user readable reports using plugins. 

	- a series of reporting plugins,
	  each dedicated to making user readable report (html, syslog, xml, ...)


The interesting part are plugins: you can write your own, dedicated to a 
special intrusion detection that you know of and share it with others. 
For example, bundled with the source is a plugin to detect SYN flooding 
attacks. There is more, and you can write more. Moreover, plugins are 
only called when necessary. For example, Prelude won't call the 
aforementioned plugin when it receives a TCP packet which hasn't got the 
SYN flag set, nor will it call it if it receives an ICMP packet. 

Prelude does take care of IP fragmentation. It works as follows: 
when Prelude receives a fragmented packet, it will add it to the 
defragmentation stack. It stores subsequent fragments of the same 
packet in the stack until it receives the last one. The original 
packet is then reassembled and passed on to the intrusion 
detection plugins. 

Note that all packets, at a fragmented state *and* at a 
defragmented state will be analyzed for security problem. This 
allows detection of IP fragmentation attacks, for example. 

Prelude also decodes TCP/IP options.



- LICENSE ADDITION

In addition, as a special exception, the copyright holder gives permission 
to link the code of this program with any version of the OpenSSL library which 
is distributed under a license identical to that listed in the included 
COPYING.OpenSSL file, and distribute linked combinations including the two. 
You must obey the GNU General Public License in all respects for all of the
code used other than OpenSSL. If you modify this file, you may extend this 
exception to your version of the file, but you are not obligated to do so. 
If you do not wish to do so, delete this exception statement from your version.



- COPYRIGHT 

Copyright (C) 1998-2003 Yoann Vandoorselaere <yoann@prelude-ids.org>
All Rights Reserved

This file is part of the Prelude program.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by 
the Free Software Foundation; either version 2, or (at your option)
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; see the file COPYING.  If not, write to
the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.




- CREDITS

Some code from the packet handling portion 
of Prelude was taken from Tcpdump.

See the CREDITS file for a list of persons working on the Prelude Project.



- PORTABILITY

 * Linux (ppc, sparc32, alpha, x86).
 * FreeBSD (4.x-STABLE and 5.0-CURRENT on x86) port is actively maintained.
 * Should compile on Solaris.

