# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# Filename: package/.../sancp/sancp-1.6.1-stable-prelude-3.diff
# Copyright (C) 2007 The OpenSDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---

diff -ruN sancp-1.6.1-stable.vanilla/Makefile sancp-1.6.1-stable/Makefile
--- sancp-1.6.1-stable.vanilla/Makefile	2007-07-07 00:46:11.000000000 +0200
+++ sancp-1.6.1-stable/Makefile	2007-07-24 13:44:01.000000000 +0200
@@ -9,7 +9,7 @@
 
 
 # LINUX and BSD CFLAGS
-CFLAGS = -O3 -I/usr/include/pcap -I/usr/local/include/pcap  -I./ -L/usr/lib/libsocket.so  -g -L/opt/csw/lib -ggdb
+CFLAGS = -g -O3 -I/usr/include/pcap -I/usr/local/include/pcap  -I./ -L/usr/lib/libsocket.so  -g -L/opt/csw/lib -ggdb `libprelude-config --cflags`
 
 # LINUX  LFLAGS
 LFLAGS = -lresolv -lnsl -lpcap -L/usr/lib/libpcap.so.0.6.2
@@ -41,10 +41,10 @@
 bsd :
 	@(echo "#define PLATFORM_BSD" > platform.h)
 	@make final
-	g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o  misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
+	g++ -Wall $(BFLAGS) $(CFLAGS) -o sancp sancp.o  misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
 
 linux :
 	@(echo "#define PLATFORM_LINUX" > platform.h)
 	@make final
-	g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o
+	g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o help.o `libprelude-config --libs` `libprelude-config --ldflags`
 
diff -ruN sancp-1.6.1-stable.vanilla/apply_rule.cc sancp-1.6.1-stable/apply_rule.cc
--- sancp-1.6.1-stable.vanilla/apply_rule.cc	2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/apply_rule.cc	2007-07-24 13:44:01.000000000 +0200
@@ -47,6 +47,12 @@
 				tc->tcplag=myacl->tcplag;	
 				tc->status=myacl->status;	
 				tc->rid=myacl->rid;	
+				tc->prelude_impact_severity=myacl->prelude_impact_severity;
+				tc->prelude_impact_completion=myacl->prelude_impact_completion;
+				tc->prelude_impact_type=myacl->prelude_impact_type;
+				tc->prelude_confidence_rating=myacl->prelude_confidence_rating;
+
+
 
 				if(myacl->pmode==OMODE_UNIQ)
 				{
@@ -112,6 +118,10 @@
 			nc->rgid=myacl->rgid;	
 			nc->zone=myacl->zone;	
 			nc->node=myacl->node;	
+			nc->prelude_impact_severity=myacl->prelude_impact_severity;
+			nc->prelude_impact_completion=myacl->prelude_impact_completion;
+			nc->prelude_impact_type=myacl->prelude_impact_type;
+			nc->prelude_confidence_rating=myacl->prelude_confidence_rating;
 			myacl->ctr++;	
 			return;
 		}
@@ -130,6 +140,10 @@
 	nc->timeout=gVars.default_timeout;	
 	nc->tcplag=gVars.default_tcplag;	
 	nc->node=gVars.default_node;	
+	nc->prelude_impact_severity=gVars.prelude_impact_severity;
+	nc->prelude_impact_completion=gVars.prelude_impact_completion;
+	nc->prelude_impact_type=gVars.prelude_impact_type;
+	nc->prelude_confidence_rating=gVars.prelude_confidence_rating;
 	gVars.default_ctr++;
 #ifdef DEBUG
 	printf("Setting stats: %d  pcap: %d realtime: %d limit: %d timeout: %d tcplag: %d\n", nc->stats, nc->pcap, nc->realtime, nc->limit, nc->timeout, nc->tcplag);
diff -ruN sancp-1.6.1-stable.vanilla/build_acl.cc sancp-1.6.1-stable/build_acl.cc
--- sancp-1.6.1-stable.vanilla/build_acl.cc	2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/build_acl.cc	2007-07-24 13:44:01.000000000 +0200
@@ -1168,6 +1168,62 @@
 	fprintf(stdout,"Didn't set default for %s to %s\n",tok,tmp);
 #endif
 	}
+	if(strcmp(tok,"prelude_impact_severity")==0)
+	{
+		if((tmp = get_tok(&rules,accept))==NULL)
+		{
+			syslog(LOG_ERR,"Format error, prelude_impact_severity specified but none provided, using prelude_impact_severity %s\n",PRELUDE_IMPACT_SEVERITY);
+			free(rule);
+			return;
+		}
+		gVars.prelude_impact_severity = strdup(tmp);
+		free(rule);
+	}
+	if(strcmp(tok,"prelude_impact_completion")==0)
+	{
+		if((tmp = get_tok(&rules,accept))==NULL)
+		{
+			syslog(LOG_ERR,"Format error, prelude_impact_completion specified but none provided, using prelude_impact_completion %s\n",PRELUDE_IMPACT_COMPLETION);
+			free(rule);
+			return;
+		}
+		gVars.prelude_impact_completion = strdup(tmp);
+		free(rule);
+	}
+	if(strcmp(tok,"prelude_impact_type")==0)
+	{
+		if((tmp = get_tok(&rules,accept))==NULL)
+		{
+			syslog(LOG_ERR,"Format error, prelude_impact_type specified but none provided, using prelude_impact_type %s\n",PRELUDE_IMPACT_TYPE);
+			free(rule);
+			return;
+		}
+		gVars.prelude_impact_type = strdup(tmp);
+		free(rule);
+	}
+	if(strcmp(tok,"prelude_confidence_rating")==0)
+	{
+		if((tmp = get_tok(&rules,accept))==NULL)
+		{
+			syslog(LOG_ERR,"Format error, prelude_confidence_rating specified but none provided, using prelude_confidence_rating %s\n",PRELUDE_CONFIDENCE_RATING);
+			free(rule);
+			return;
+		}
+		gVars.prelude_confidence_rating = strdup(tmp);
+		free(rule);
+	}
+	if(strcmp(tok,"prelude_profile")==0)
+	{
+		if((tmp = get_tok(&rules,accept))==NULL)
+		{
+			syslog(LOG_ERR,"Format error, prelude_profile specified but none provided, using prelude_profile %s\n",PRELUDE_PROFILE);
+			free(rule);
+			return;
+		}
+		gVars.prelude_profile = strdup(tmp);
+		free(rule);
+	}
+
 }
 
 void parse_var(char *c_rule, char *accept)
@@ -1426,6 +1482,10 @@
 		}else{
 			n_acl->fH = 0;
 		}
+		n_acl->prelude_impact_severity = gVars.prelude_impact_severity;
+		n_acl->prelude_impact_completion = gVars.prelude_impact_completion;
+		n_acl->prelude_impact_type = gVars.prelude_impact_type;
+		n_acl->prelude_confidence_rating = gVars.prelude_confidence_rating;
 
 		// FIELD 0 - required - Get the h_proto
                 n_acl->h_proto_h = 0xFFFF;
@@ -2061,6 +2121,46 @@
 				n_acl->retro = true;
 				continue;
 			}
+			if(strcmp(tok,"severity")==0)
+			{
+				if((tmp = get_tok(rules,accept))==NULL)
+				{
+					syslog(LOG_ERR,"Format error, severity specified but no option provided%s\n",rule);
+					return;
+				}
+				n_acl->prelude_impact_severity = strdup(tmp);
+				continue;
+			}
+			if(strcmp(tok,"completion")==0)
+			{
+				if((tmp = get_tok(rules,accept))==NULL)
+				{
+					syslog(LOG_ERR,"Format error, completion specified but no option provided%s\n",rule);
+					return;
+				}
+				n_acl->prelude_impact_completion = strdup(tmp);
+				continue;
+			}
+			if(strcmp(tok,"type")==0)
+			{
+				if((tmp = get_tok(rules,accept))==NULL)
+				{
+					syslog(LOG_ERR,"Format error, type specified but no option provided%s\n",rule);
+					return;
+				}
+				n_acl->prelude_impact_type = strdup(tmp);
+				continue;
+			}
+			if(strcmp(tok,"confidence")==0)
+			{
+				if((tmp = get_tok(rules,accept))==NULL)
+				{
+					syslog(LOG_ERR,"Format error, confidence specified but no option provided%s\n",rule);
+					return;
+				}
+				n_acl->prelude_confidence_rating = strdup(tmp);
+				continue;
+			}
 			syslog(LOG_ERR,"Skipping, invalid option in rule: %s %s\n", tok,*rules);
 			return;
 		}
diff -ruN sancp-1.6.1-stable.vanilla/docs/README sancp-1.6.1-stable/docs/README
--- sancp-1.6.1-stable.vanilla/docs/README	2007-07-06 03:33:14.000000000 +0200
+++ sancp-1.6.1-stable/docs/README	2007-07-24 13:44:01.000000000 +0200
@@ -277,6 +277,10 @@
   		 strip-80211  { disable|enable }
   		 node <number>
   		 debug_pcap_raw  { disable|enable }
+                 prelude_impact_severity [string]
+                 prelude_impact_completion [string]
+                 prelude_impact_type [string]
+                 prelude_confidence_rating [string]
 
   known_port syntax:
   -----------------------:
@@ -310,6 +314,9 @@
 			b) tagging options 
 				i.e. status=16 rid=1112 node=2 
 
+                        c) prelude options
+                                i.e. severity=severe, completion=succeeded, type=other, confidence=high
+
   [<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]
   [<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}] 
   { ignore | stats [{log|pass}] | realtime [{log|pass}] |
diff -ruN sancp-1.6.1-stable.vanilla/gvars.h sancp-1.6.1-stable/gvars.h
--- sancp-1.6.1-stable.vanilla/gvars.h	2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/gvars.h	2007-07-24 13:44:01.000000000 +0200
@@ -17,7 +17,8 @@
 /* Make certain all id's are represented in the same order (as strings) in fmtnames[] */
 /* 'null' is a place holder - in the list for field 0 */ 
 
-enum id {null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
+enum id
+{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_local,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile };
 
 struct cnx_queue {
 	struct cnx *head;
@@ -102,5 +103,10 @@
 	int stdout_fmt_len;
 	pcap_t *ph;      // pcap handle
 	struct pcap_pkthdr *g_pkthdr;//
+	char *prelude_impact_severity;
+	char *prelude_impact_completion;
+	char *prelude_impact_type;
+	char *prelude_confidence_rating;
+	char *prelude_profile;
 };
 
diff -ruN sancp-1.6.1-stable.vanilla/sancp.cc sancp-1.6.1-stable/sancp.cc
--- sancp-1.6.1-stable.vanilla/sancp.cc	2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/sancp.cc	2007-07-24 13:44:01.000000000 +0200
@@ -48,7 +48,40 @@
 	//char dfltfmt[]= { sancp_id,start_time_gmt,src_mac,dst_mac,eth_proto,src_ip_dotted,dst_ip_dotted,ip_proto,src_port,dst_port };
 	char dfltfmt_human_readable[]= { sancp_id,start_time_gmt,stop_time_gmt,erased_time_gmt,eth_proto,ip_proto,src_ip_dotted,src_port,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,dflags_hex,cflags_hex,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac };
 
+prelude_client_t *client;
+static idmef_analyzer_t *idmef_analyzer;
 
+int sancp_alert_init(prelude_client_t *client) 
+{
+        int ret;
+        prelude_string_t *string;
+        
+        idmef_analyzer = prelude_client_get_analyzer(client);
+        if ( ! idmef_analyzer )
+                return -1;
+        
+        ret = idmef_analyzer_new_model(idmef_analyzer, &string);
+        if ( ret < 0 )
+                return -1;
+        prelude_string_set_constant(string, PRELUDE_ANALYZER_MODEL);
+
+        ret = idmef_analyzer_new_class(idmef_analyzer, &string);
+        if ( ret < 0 )
+                return -1;
+        prelude_string_set_constant(string, PRELUDE_ANALYZER_CLASS);
+
+        ret = idmef_analyzer_new_manufacturer(idmef_analyzer, &string);
+        if ( ret < 0 )
+                return -1;
+        prelude_string_set_constant(string, PRELUDE_ANALYZER_MANUFACTURER);
+
+        ret = idmef_analyzer_new_version(idmef_analyzer, &string);
+        if ( ret < 0 )
+                return -1;
+        prelude_string_set_constant(string, VERSION);
+
+        return 0;
+}
 /************* 
  *  Main     * 
  *************/
@@ -56,6 +89,7 @@
 int main(int argc, char *argv[]) {
 	extern struct gvars gVars;
 	int cKey;
+	int ret;
 	pid_t pid=0;
 
 	/*
@@ -102,6 +136,14 @@
 	gVars.stdout_delimiter=DEFAULT_DELIMITER;
 	gVars.stdout_eor=DEFAULT_EOR;
 
+	gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY;
+	gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION;
+	gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE;
+	gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING;
+	gVars.prelude_profile=PRELUDE_PROFILE;
+
+	
+
 	for(cKey=0; cKey<HASH_KEYS; cKey++)
 	{
 		gVars.cnx_head[cKey]=NULL;
@@ -116,6 +158,8 @@
 
 	parse_args(argc, argv);
 
+
+
 	if(gVars.human_readable){
              if(gVars.realtime_fmt_len!=sizeof(dfltfmt_human_readable)){
         	free(gVars.realtime_fmt);
@@ -143,7 +187,15 @@
 
            setsid();
         }
+	prelude_log_set_flags((prelude_log_flags_t)PRELUDE_LOG_FLAGS_SYSLOG);
      }
+
+	/* Initialize prelude */
+	ret = prelude_init(&argc, argv);
+	if (ret < 0) {
+		prelude_perror(ret, "unable to initialize the prelude library");
+		exit_all(0);
+	}
 	/* Retrieve the last cnxid from cache file if we haven't already in parse_args() */
 
 	if(!gVars.cnx_id)
@@ -197,6 +249,29 @@
 
 	build_config(1);
 
+	/* Create prelude sensor */
+        
+	ret = prelude_client_new(&client, gVars.prelude_profile);
+	if ( ! client ) {
+		prelude_perror(ret, "Unable to create a prelude client object");
+		exit_all(0);
+	}
+
+	/* Start prelude sensor */
+	sancp_alert_init(client);
+	ret = prelude_client_start(client);
+	if ( ret < 0 ) {
+		prelude_perror(ret, "Unable to start prelude client");
+		exit_all(0);
+	}
+
+	ret = prelude_client_set_flags(client, (prelude_client_flags_t)
+		(PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
+	if ( ret < 0 ) {
+		fprintf(stderr, "Unable to set asynchronous send and timer.\n");
+		exit_all(0);
+	}
+
 	/* Open files for output */
 	/* Be r3al l33t h3r3 */
 
diff -ruN sancp-1.6.1-stable.vanilla/sancp.h sancp-1.6.1-stable/sancp.h
--- sancp-1.6.1-stable.vanilla/sancp.h	2007-07-06 06:18:04.000000000 +0200
+++ sancp-1.6.1-stable/sancp.h	2007-07-24 13:44:01.000000000 +0200
@@ -47,6 +47,10 @@
 #include "gvars.h"
 #endif
 
+#include <libprelude/prelude.h>
+#include <libprelude/prelude-log.h>
+#include <netdb.h>
+
 #define NCP_H
 #define Y 'Y'
 #define N 'N'
@@ -79,6 +83,7 @@
 	struct vars *next;
 };
 
+extern prelude_client_t *client;
 int main(int argc, char *argv[]);
 struct cnx *process(struct cnx*, int len, u_char * pkt);
 char * createPcapFileName();
@@ -185,6 +190,15 @@
 #define OMODE_RULE 5
 #define OMODE_UNIQ 6
 
+#define PRELUDE_IMPACT_SEVERITY "medium"
+#define PRELUDE_IMPACT_COMPLETION "succeeded"
+#define PRELUDE_IMPACT_TYPE "other"
+#define PRELUDE_CONFIDENCE_RATING "high"
+#define PRELUDE_ANALYZER_MODEL "Sancp"
+#define PRELUDE_ANALYZER_CLASS "NIDS"
+#define PRELUDE_ANALYZER_MANUFACTURER "http://www.metre.net/sancp.html"
+#define PRELUDE_PROFILE "sancp"
+
 // Need to distinguish between classes of variables
 #define VCLASS_0 1	// eth_proto class vars
 #define VCLASS_1 2	// ip_addr class vars
@@ -276,6 +290,10 @@
     u_int16_t rgid;
     u_int16_t node;
     u_int16_t zone;
+    char *prelude_impact_severity;
+    char *prelude_impact_completion;
+    char *prelude_impact_type;
+    char *prelude_confidence_rating;
     CBuffer *CBufferPtr;
     struct acl *next;
 };
@@ -314,6 +332,10 @@
         u_int16_t rgid;
 	u_int16_t node;
 	u_int16_t zone;
+    	char *prelude_impact_severity;
+    	char *prelude_impact_completion;
+    	char *prelude_impact_type;
+    	char *prelude_confidence_rating;
     	CBuffer *CBufferPtr;
 	struct os_info os_info;
 	struct os_info os_info2;
diff -ruN sancp-1.6.1-stable.vanilla/statefull_logging.cc sancp-1.6.1-stable/statefull_logging.cc
--- sancp-1.6.1-stable.vanilla/statefull_logging.cc	2007-07-05 18:12:20.000000000 +0200
+++ sancp-1.6.1-stable/statefull_logging.cc	2007-07-24 13:44:01.000000000 +0200
@@ -183,6 +183,208 @@
     snprintf(buf,len,"%s",currenttime);
 }
 
+static int add_idmef_object(idmef_message_t *message, const char *object, const char *value)
+{
+        int ret;
+        idmef_value_t *val;
+        idmef_path_t *path;
+        
+        ret = idmef_path_new(&path, object);
+        if ( ret < 0 )
+                return -1;
+
+        ret = idmef_value_new_from_path(&val, path, value);
+        if ( ret < 0 ) {
+                idmef_path_destroy(path);
+                return -1;
+        }
+
+        ret = idmef_path_set(path, message, val);
+
+        idmef_value_destroy(val);
+        idmef_path_destroy(path);
+        
+        return ret;
+}
+
+#define IDMEF(x) { \
+    int ret = (x); \
+    if (ret < 0) { idmef_message_destroy(idmef); printf("error\n"); return; } \
+    }
+
+void record_prelude(struct cnx *cn) {
+    char LOG[MAXENTRYLEN];
+
+    idmef_message_t *idmef;
+    idmef_alert_t *alert;
+    idmef_time_t *time;
+
+    struct servent *sourceservent;
+    struct protoent *protoent;
+
+    IDMEF(idmef_message_new(&idmef));
+    IDMEF(idmef_message_new_alert(idmef, &alert));
+
+    /* alert.detecttime */
+    if (cn->start_time) {
+        IDMEF(idmef_time_new_from_time(&time, &cn->start_time));
+    } else {
+        /* using the curen time */
+        IDMEF(idmef_time_new_from_gettimeofday(&time));
+    }
+    idmef_alert_set_detect_time(alert, time);
+
+    /* alert.createtime */
+    time = NULL;
+    IDMEF(idmef_time_new_from_gettimeofday(&time));
+    idmef_alert_set_create_time(alert, time);
+
+    /* alert.analyzer */
+    idmef_alert_set_analyzer(alert,idmef_analyzer_ref(prelude_client_get_analyzer(client)),0);
+
+    /* alert.classification.text */
+    add_idmef_object(idmef, "alert.classification.text", 
+        "Unauthorized network connectivity");
+
+    /* alert.messageid */
+    snprintf(LOG,MAXENTRYLEN,"%lld",cn->cid);
+    add_idmef_object(idmef, "alert.messageid", LOG);
+
+    /* alert.impact.severity */
+    add_idmef_object(idmef, "alert.assessment.impact.severity",
+        cn->prelude_impact_severity);
+
+    /* alert.impact.completion */
+    add_idmef_object(idmef, "alert.assessment.impact.completion",
+        cn->prelude_impact_completion);
+
+    /* alert.impact.type */
+    add_idmef_object(idmef, "alert.assessment.impact.type",
+        cn->prelude_impact_type);
+
+    /* alert.confidence.rating */
+    add_idmef_object(idmef, "alert.assessment.confidence.rating",
+        cn->prelude_confidence_rating);
+
+    /* alert.additionaldata(0) */
+    add_idmef_object(idmef, "alert.additionaldata(0).type", "integer");
+    add_idmef_object(idmef, "alert.additionaldata(0).meaning", "status");
+    snprintf(LOG,MAXENTRYLEN,"%u",cn->status);
+    add_idmef_object(idmef, "alert.additionaldata(0).integer", LOG);
+
+    /* alert.additionaldata(1) */
+    add_idmef_object(idmef, "alert.additionaldata(1).type", "integer");
+    add_idmef_object(idmef, "alert.additionaldata(1).meaning", "Network node");
+    snprintf(LOG,MAXENTRYLEN,"%u",cn->node);
+    add_idmef_object(idmef, "alert.additionaldata(1).integer", LOG);
+
+    /* IP versios */
+    if (cn->h_proto == 8) {
+        add_idmef_object(idmef, "alert.source(0).service.ip_version", "4");
+        add_idmef_object(idmef, "alert.target(0).service.ip_version", "4");
+    } else {
+         /* bail out */
+        idmef_message_destroy(idmef);
+        return;
+    }
+
+    /* alert.source(0).node.address(0) (ip address) */
+    if(cn->reversed==CNX_REVERSED){
+        snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+    }else{      
+        snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+    }
+    add_idmef_object(idmef, "alert.source(0).node.address(0).category", 
+        "ipv4-addr");
+    add_idmef_object(idmef, "alert.source(0).node.address(0).address", LOG);
+
+    /* alert.source(0).node.address(1) (mac address) */
+    add_idmef_object(idmef, "alert.source(0).node.address(1).category", "mac");
+    {
+        struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_shost;
+        snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
+    }
+    add_idmef_object(idmef, "alert.source(0).node.address(1).address", LOG);
+
+    protoent = getprotobynumber(cn->proto);
+
+    /* alert.source(0).iana_protocol_number */
+    snprintf(LOG,MAXENTRYLEN,"%u",(cn->proto));
+    add_idmef_object(idmef, "alert.source(0).service.iana_protocol_number", LOG);
+
+    /* alert.target(0).iana_protocol_number */
+    add_idmef_object(idmef, "alert.target(0).service.iana_protocol_number", LOG);
+
+
+    if (protoent) {
+    /* alert.source(0).iana_protocol_name */
+        add_idmef_object(idmef, "alert.source(0).service.iana_protocol_name",
+            protoent->p_name);
+
+    /* alert.target(0).iana_protocol_name */
+        add_idmef_object(idmef, "alert.target(0).service.iana_protocol_name",
+            protoent->p_name);
+
+    /* alert.source(0).service */
+        setservent(1);
+        if(cn->reversed==CNX_REVERSED){
+            snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
+            sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); 
+        }else{
+            snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
+            sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); 
+        }
+
+        if (sourceservent && sourceservent->s_name) 
+            add_idmef_object(idmef, "alert.source(0).service.name",
+             sourceservent->s_name );
+        add_idmef_object(idmef, "alert.source(0).service.port",
+            LOG);
+        add_idmef_object(idmef, "alert.source(0).service.protocol",
+            protoent->p_name);
+
+    /* alert.target(0).service */
+        if(cn->reversed==CNX_REVERSED){
+            snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->s_port));
+            sourceservent = getservbyport(ntohs(cn->s_port), protoent->p_name); 
+        }else{
+            snprintf(LOG,MAXENTRYLEN,"%u",ntohs(cn->d_port));
+            sourceservent = getservbyport(ntohs(cn->d_port), protoent->p_name); 
+        }
+
+        if (sourceservent && sourceservent->s_name) 
+            add_idmef_object(idmef, "alert.target(0).service.name",
+             sourceservent->s_name );
+        add_idmef_object(idmef, "alert.target(0).service.port",
+            LOG);
+        add_idmef_object(idmef, "alert.target(0).service.protocol",
+            protoent->p_name);
+    }   
+/*
+*/
+
+    /* alert.target(0).node.address(0) (ip address) */
+    if(cn->reversed==CNX_REVERSED){
+        snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+    }else{      
+        snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+    }
+    add_idmef_object(idmef, "alert.target(0).node.address(0).category", 
+        "ipv4-addr");
+    add_idmef_object(idmef, "alert.target(0).node.address(0).address", LOG);
+
+    /* alert.target(0).node_address(1) (mac address) */
+    add_idmef_object(idmef, "alert.target(0).node.address(1).category", "mac");
+    {
+        struct myether_addr *es=(struct myether_addr *)&cn->eth_hdr.ether_dhost;
+        snprintf(LOG,MAXENTRYLEN,"%0x:%0x:%0x:%0x:%0x:%0x",es->octet[0],es->octet[1],es->octet[2],es->octet[3],es->octet[4],es->octet[5]);
+    }
+    add_idmef_object(idmef, "alert.target(0).node.address(1).address", LOG);
+
+    prelude_client_send_idmef(client, idmef); 
+    idmef_message_destroy(idmef);
+}
+
 
 void record(struct cnx *cn, outputFileHandle *fH) 
 {
@@ -199,8 +401,15 @@
 
 	char eor=fH->getEor();
     
+    /* do we want prelude alert generation for this record? */
+
     bzero(LOG,MAXENTRYLEN);
 
+    if (fH == gVars.sfH) {
+        record_prelude(cn);
+    }
+
+
 
 /*
  * Structure of a 48-bit Ethernet address.