Prelude-LML is a signature-based log analyzer monitoring your log file and received syslog messages for suspicious activity.
It handle events generated by a large set of components, including but not limited to: APC Emu, BigIP, Cisco PIX, Clamav, Dell-OM, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso, Apache ModSecurity, Ms-SQL, Nagios, Norton Antivirus Corporate Edition, NTsyslog, Pam, Portsentry, Postfix, Proftpd, SSH, and others.
What's New in This Release: [ read full changelog ]
· Minor changes since rc2.
· File notification improvement: some case where file notification was not working appropriately were fixed. Improve handling of file deletion (optionaly followed by file creation event).
· There was various case where the previous code would mishandle the metadata write/verification. All known issues are now fixed.
· There was no monitoring for standard input, everything was read once upon start and further input was ignored.
· Fix possible truncation of dispatched log, when the string contained multiples nul terminator. Fixes a regression of LML 1.0.0rc1.
· Statistics were missing for UDP server input.
· Minor events reporting improvement, and bug fixes.
· Improve large file handling.
· Support for character encoding and convertion to UTF-8. The user can specify a different character encoding for each files.
· Automatic character set detection if none is specified by the user, the implementation will attempt to detect the character set used for a given file. In case the detection fail, the system default will be used.
· Log entry are now converted to UTF-8 before processing. This fixes a problem where user could see incorrect characters in reported alert, since they were carrying data that could involve differents character set.
· Include Snare ruleset, courtesy of Nicholas Nachefski .
· [ModSecurity]: Events generated were missing some AdditionalData information.
· [NetFilters]: ruleset compatibility Ulogd, various improvement.
· Various bug fixes.