- Make SSH rules IPv6 compliants, allowing to merge old
IPv6 only rules with IPv4 rules. Some additional minor
bug fixes (fix#232).
- Fix incorrect target user assignment, as well as incorrect
PCRE reference in assessment.impact.description
(Paul Robert Marino <prmarino1@gmail.com>) (fix#232).
- CISCO router acl lists can now use names instead of numbers. This made
rule id=500 in cisco-router.rules fail to alert on packet denys on newer
cisco devices (Paul Robert Marino <prmarino1@gmail.com>).
- Fix Apache formating when Apache logname or user is set
(Robin Gruyters <r.gruyters@yirdis.nl> and <andre@vandervlies.xs4all.nl>)
(fix#229).
- Invalid user.user_id(0).name assignement in SSH rule 1913
(Scott Olihovik <skippylou@gmail.com>) (fix#243).
- Various bug fixes and minor improvements.
- Ability to use regular expressions in plugins.rules to define
monitored sources, this can be very useful when combined to file
globing.
- [SPEEDUP] When the "*" keyword is used, the data is passed to the
upper layer without trying to match anything.
- Fix NULL pointer dereference when a rule reference an existing,
but empty context (fix#226).
- Remove deprecated use of prelude_client_print_setup_error(),
directly handled via prelude_perror().
- Make the log parser more robust.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
- Pattern can now be used to specify file to be monitored.
- Fix an issue in the detection of buggy writev() FAM notification.
- Add bonding.rules, by Paul Robert Marino <prmarino1@gmail.com>.
- ModSecurity ruleset update: remove unnecessary fields + ModSecurity 2.0 compatibility.
- New Cisco IOS common ruleset, by Alexandre Racine.
- Avoid duplicating information in node name and node address.
- Add rule ID and revision to the generated alert for each matched rule. Fix#206.
- Handle "last" keyword even if the rule does not contain any IDMEF assignment. Fix#218.
- Various bug fixes.
- Fix a bug where some rules marked silent would trigger an alert.
- Load Sonicwall and Spamassassin ruleset by default.
- Fix rule syntax problem in Sonicwall ruleset.
- Fix rule indexing problem in Squid ruleset.
- Postfix rule consistency fix.
2) Changed permissions on plugins.rules and prelude-lml.conf so that
prelude-lml can run unpriviledged
3) Changed confdir in configure so that plugins.rules and prelude-lml.conf
are found.
Changes in 0.9.5:
- Experimental context support (ala SEC): we now handle
multiline log matching.
- Update PAX rules so that it use the new context feature.
- Don't exit on statistics signal, improve statistics precision,
make them easier to read.
- Fix some problem with user & group options.
- text-output argument is optional.
- New experimental ruleset: Sonicwall and Spamassassin. These
need to be manually hooked to pcre.rules if you plan to use
them.
- Fix FAM activation switches.
Changes:
- Remove trailing space from regex we get from plugins.rules (this fix
a match problem on log entry that didn't contain any space).
- Add --user / --group option to drop privilege. However, make sure it is
not allowed to open file that the target user can not read, because it
would lead to failure when trying to re-open the logfile after a rotation.
- Signal handling improvement.
- Fix priority for --quiet option.
- Use newer libprelude IDMEF_LIST_APPEND/IDMEF_LIST_PREPEND addition.
- Add unhandled arguments warning.
- Get rid of the 1024 characters per line limitation (defined as per
the syslog RFC), since LML is not limited to parsing input from syslog
anymore.
- Handle events in Clamav logging format as well as syslog.
- Abstracted Squid chain regex to allow parsing of data directly
from Squid log files.
- Introduced support for openhostapd.
- Began expanding rulesets with additional_data and vendor-specific
classification data.
- Various ruleset updates and bug fixes.
Prelude-LML is a signature based log analyzer monitoring logfile and
received syslog messages for suspicious activity. It handle events
generated by a large set of components, including but not limited to:
BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso,
Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry,
Postfix, Proftpd, ssh, etc.
sensors, managers, and a display console.
Prelude-lml is the log file analyzer. It scans
system log files and generates IDMEF alerts to
the prelude-manager based on signature rulesets.
This is one of sever new Prelude packages.
