- Make threshold act like a real threshold: pass every Nth events
in the defined amount of seconds.
- Allow mixing Limit and Threshold.
- Do not share the tresholding hash accross thresholding plugin instance:
previously, the shared hash would result in strange thresholding plugin
behavior if you had several instance of thresholding loaded.
- Various bug fixes concerning plugin instance un-subscribtion (unsubscribtion
of certain plugin was not triggered).
- Fix for new libprelude (0.9.15) runtime warning.
- Add documentation for SQLite3 in the template configuration file
(Sébastien Tricaud <toady at gscore.org>).
- Update configuration template, add documentation for Prelude
generic TCP options.
- Implement modified patch from Pierre Chifflier <chifflier@inl.fr>
to fix the example log path (fix#224).
- Move IDMEF message normalization in the scheduler, rather than
doing it upon reception. This remove some load from the server
and allow Prelude-Manager own IDMEF messages to go through the
normalizer path.
- Implement heartbeat->analyzer normalization.
- Improve IPv4 / IPv6 address normalization.
IPv4 mapped IPv6 addresses are now mapped back to IPv4.
Additionally, the Normalize plugin now provide two additionals option:
ipv6-only: Map any incoming IPv4 address to IPv6.
keep-ipv4-mapped-ipv6: do not map IPv4 mapped IPv6 addresses back to IPv4.
- Make a difference between exceptional report plugin failure (example:
a single message couldn't be processed) and "global" plugin failure
(example: database server is down). We use a different failover for
'exceptional' failure, so that we don't try to reinsert a bogus message
(fix#247).
- Start of a Prelude-Manager manpages (#236).
- Various bug fixes.
- Initial implementation of the 'thresholding' plugin, allowing you to
suppress events after a certain limit/threshold.
- Filters hooking to a reporting plugin are now OR'ed instead of being
AND'ed. AND is already possible by hooking filtering plugin one with
another.
- Improved error reporting.
- Minor bug fixes.
- Fix a startup problem on system with different address of different family
mapping to the same IP.
- Fix for system using the GnuLib poll replacement modules. The module was
broken when used in conjunction with server socket.
- Various portability fixes
- In case an IDMEF-Service object contain neither name or port
attribute, set name to "unknown" in order to avoid IDMEF DTD
validation issue.
- Normalize analyzer(*).node.
- Enable write notification on queued write (Fix reverse relaying).
- Fix IDMEF message scheduler warning when plugin failover is enabled.
- Fix reverse relaying on some architecture due to thread safety
issue.
- Server scalability improvement in case of message burst.
- Start work on a normalization plugin. Very simple for now, mostly
sanitize IDMEF Address and IDMEF Service classes.
- When an analyzer have read and write permission to prelude-manager,
avoid acting as an echo server, don't send received message from this
analyzer to itself.
- When no listen address is specified, try to bind all
system address (both ipv4/ipv6).
- Send an alert to the peer on handshake failure, so that
the peer have some information on what happened.
- Consistency work accross all plugin logfile option.
- Various bug fixes and improvements.
- Only send TLS alert if there is one queued, fix a possible crash.
- Emit warning if prelude-failover problem arise.
- Improve error handling.
- Improve db plugin log option, "-" now mean stdout.
- Various bug fixes.
- prelude-manager has been updated to check the loaded revocation
list, if available. This was needed since the recent prelude-adduser
addition allowing to create analyzer revocation list.
- Remove line size limitation on specified IDMEF-criteria.
- Remove all ancillary groups as well as setgid-ing.
- Fix idmef-criteria-filter option conflict.
- Fix a possible crash if no listen address is specified, but a
reverse relay is used.
- Much better error reporting.
Prelude-Manager is a high availability server that accepts secured
connections from distributed sensors or other managers and saves
received events to a media specified by the user (database, logfile,
mail, etc).
sensors, managers, and a display console. This
is the manager. The Manager (there can be several
in an IDS network) accepts secured connections
from sensors and saves the alerts that Sensors
emit. This package installs the manager so that
mySql is used for alert storage.
This is one of several new Prelude packages.
