I'm not a Prelude user, but I am a Sguil user. My understanding of Prelude
is that it collects security events from various sources, provided they
all speak IDMEF.
Conceptually, Sguil is similar, in that it compiles data from various
sources, but its approach is a little different. For one thing, it
integrates some non-event data, like tcpdump traffic captures.
We think of Sguil as an analyst research tool. Most users start by reviewing
the snort alerts, then use the various built-in tools to dig for more data
in the packet capture logs, network session database or maybe Nessus
reports. You can also initiate the research directly, without starting
from a snort alert if you have something specific that you're looking for.
If your question is, "should I use Sguil or Prelude", I think the answer
is that you should try both and see what you think. The Sguil website
has directions for downloading the client and connecting to the public
demo server if you want to try it out without a lot of hassle, but it's
worthwhile getting up and running in your own environment if you really
want a good feel for it.
David
Hazel, Scott A. wrote:
> I have not tried Prelude yet but I'm curious to know how it compares to
> Sguil. From you description below it seems they fill the same role as the
> analyst's console. Has anyone compared them? Thanks.
>
> Scott Hazel
>
> -----Original Message-----
> From: Cedric Foll [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 16, 2005 4:23 AM
> To: Sven Müller
> Cc: [email protected]
> Subject: Re: Snortcenter, Prelude-IDS
>
> Hi,
>
>
>>Do you have any experiences with Prelude?
>>
>
>
> I use it for several months and i'm really happy with it.
>
> If you want only use snort (it's what i do) this is the idea:
> You install several snort v2.4.0. This version is able to send repport to a
> prelude manager.
> Then you install a prelude-manager and configure all your snort to repport
> their alert their. It's very easy and secure (ssl protocol with host and
> server auth via a pre-shared key).
> So you centralize all your alert and you can visualize them via prewikka a
> very nice web-based application.
>
> Furthemore, the ml is very responsive, the team is helpful and kind.
>
>
> Regards.
>
>
> --
> Cedric Foll
> Ingénieur Sécurité & Réseaux
> Division Informatique, Rectorat de Rouen
>
> "More people are killed every year by pigs than by sharks, which shows you
> how good we are at evaluating risk."
> Bruce Schneier
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
