* 2010-03-16, prelude-correlator-1.0.0:

- When Prelude-Correlator is started as a daemon, make sure we use
  syslog for logging.

- Fix an exception when adding an alert with no source or target to the
  generated Correlation alert, by Frédéric Yhuel
  <fyhuel@prelude-technologies.com>

- Do not generate Brute Force CorrelationAlert for multiples successful
  authentication.

- Workaround documentation installation problem.


* 2010-03-08, prelude-correlator-1.0.0rc4:

- Fix installation problem (#372).


* 2010-03-05, prelude-correlator-1.0.0rc3:

- Prelude-Correlator wasn't properly updating context (and thus, didn't
  generate correlation events) since context identifiers were escaped
  twice.

- Prevent exception when Prelude-Correlator attempt to restore contexts
  from an earlier Prelude-Correlator version, and that the context
  internal attributes have changed.

- A sample-plugin example has been included in the distribution.


* 2010-02-01, prelude-correlator-1.0.0rc2:

- Fix generated tarball name, so that the package might easily be
  included in various distribution for testing.


* 2010-01-29, prelude-correlator-1.0.0rc1:

- [Firewall]: The plugin will now report CorrelationAlert for events /
  sets of events that appear to have passed through a firewall known to
  protect the target machine. If no firewall ever emit block concerning
  a given host, then this host is considered un-protected, and there is
  no point in reporting CorrelationAlert.

- [OpenSSHAuth]: The plugin has been modified so that it can now
  generate a single CorrelationAlert for multiples authentication method
  used in a given time slice.

- [Spamhaus]: The plugin has been modified so that it can now generate a
  single CorrelationAlert for multiples events received from the same
  source.

- [BruteForce]: Various improvement, do not limit the number of events
  the plugin is able to report in a single CorrelationAlert.

- [Scan]: do not limit the number of events the plugin is able to report
  in a single CorrelationAlert.

- Context initialization now take an optional 'overwrite' argument. This
  argument, if set to False, mean that the Context() will be returned
  un-modified if it already exist. If it doesn't, it will be created.

- New Context.update() method, which provide exactly the same
  functionality as calling Context() with the 'update=True' argument.
  This is useful since some plugin need to defer an update to another
  place in the code.

- If the context creation/update function is called with an IDMEF message
  parameter, then we automatically call addAlertReference on the context
  CorrelationAlert using the provided message as the parameter.

- Make it possible to change context option on update

- Automatically set CorrelationAlert DetectTime : reported
  CorrelationAlert DetectTime now match the time of the first event that
  was detected.

- Make it possible for plugin to specify a function to be called on
  Timer expiration.

- Disable BusinessHour correlation by default since it is very verbose

- Various bug fixes.


* 2009-11-03, prelude-correlator-0.9.0-beta8:

- Include spamhaus_drop.dat in the source distribution. Fix installation
  issue (closes #364).


* 2009-11-02, prelude-correlator-0.9.0-beta7:

- Initial SpamhausDrop plugin implementation, by
  Wes Young <wes@barely3am.com> (closes #363)

- Do not discard --root parameters if prefix is absolute.

- Python 2.4 backward compatibility fixes.

- Handle plugin loading error gracefully.

- Improve WormPlugin accuracy, and make it carry a reference to the
  initial event. The plugin used to alert when seeing an alert to a
  given target, and this same alert going back to the source. This can
  happen in a number of case (example: Netbios alert triggered by Snort)

  As of now, the plugin will wait for the events to be repeated against
  at least 5 differents hosts.

- Dshield CorrelationAlert now handle multiples events. Previously, we
  used to generate a single Dshield CorrelationAlert for each events
  where the source address would match the Dshield database. The plugin
  now generate CorrelationAlert for multiples events received from the
  same source.


* 2009-07-09, prelude-correlator-0.9.0-beta6:

- Provide a default configuration file, and fixes the prelude-correlator
  --config option.

- A rare exception could occur when IDMEF:Set() was called with
  an empty list/tuple as the value argument.

- Normalize libprelude logging through our own log callback (only
  enabled if libprelude >= 0.9.24 is installed).

- The DShield plugin didn't report any events since address loaded
  from the DShield database weren't correctly normalized.

- Automatic download + reloading of the DShield database was fixed.

- DShield generated alerts now include additional details.

- Make it possible to specify your own DShield database file, and to
  prevent automatic download. This is useful on system with no direct
  internet access.

- Handle both standard installation, and EGG installation method (in EGG
  mode, configuration and data files are self contained).

- Introduce a new plugin logging mechanism.

- Add some utility method to the Timer class.

- Make it possible for plugin to define a 'signal' method that will
  get called when prelude-correlator handle a signal (can be used to
  perform special handling before exit, statistics or debugging
  purposes).


* 2009-06-18, prelude-correlator-0.9.0-beta5:

- A bug prevented prelude-correlator from starting in daemon mode when
  using the '--pidfile' option. Fixes #355.

- Prevent prelude-correlator from abording if a plugin fail. Emit
  a warning explaining why a given plugin couldn't load, and continue
  processing.

- Implement a timeout for Dshield.org server connection. The default
  is 10 seconds, and might be modified from the prelude-correlator.conf
  configuration file. This prevent Dshield host list loading from
  blocking forever, and fixes #353.

- Make it possible to disable plugin (fixes #354), by adding the following setting
  in prelude-correlator.conf:

  [PluginClassName]
  disable = true

- Read plugin configuration from prelude-correlator.conf

- Use the Python logging facility.

- Correct copyright notice, add missing AUTHORS, COPYING, HACKING.README files.



* 2009-06-17, prelude-correlator-0.9.0-beta4:

- Initial Python Correlator version. Rationale for the switch available here:
  http://lists.prelude-ids.org/pipermail/prelude-user/2009-April/005163.html

- Support DShield <http://www.dshield.org/> correlation!


* 2008-07-11, prelude-correlator-0.9.0-beta3:

- Add missing AUTHORS file.

- Allow setting 'nil' IDMEF value using IDMEF:set() (#297).

- Fix ctx:set() typo in the business-hour.lua rulese (#297).


* 2008-07-03, prelude-correlator-0.9.0-beta2:

- Fix issues with the business-hour ruleset, that tried updating a non
  existing context. This rule does not need a context at all, rather a
  simple IDMEF object is sufficiant.

- Always return a table when retrieving multiple path (even
  with empty path). Fix #295.

- Correct multi-path detection (was not working with exactly two IDMEF
  path).

- Fix invalid installation path under certain conditions, thanks
  to Steve Grubb <sgrubb@redhat.com> for pointing that out.


* 2008-06-27, prelude-correlator-0.9.0-beta1b:

- Fix invalid installation path under certain conditions.


* 2008-06-27, prelude-correlator-0.9.0-beta1a:

- Always use $(DESTDIR) when installing files.

- Check for lua.pc as well as lua5.1.pc, since different distribution
  seems to be using different default.


* 2008-06-27, prelude-correlator-0.9.0-beta1:

- First Prelude-Correlator release.

