Small IDMEF related help, to ease filter creation :<br/>
<br/>
Each alert/attack in Prelude-IDS is represented by an IDMEF object/XML card.<br/>
This object is mapped to a load of tables in the DB back-end. What you see in the first column when making a filter is this table-list.<br/>
<br/>
So, here is a sample IDMEF object, with links to one helpfile per table. (only most used tables for now).<br/>
<br/>
<br/>
<pre>

  &lt;Alert ident="abc123456789">
    &lt;<a href="?node=Analyzer">Analyzer</a> analyzerid="hq-dmz-analyzer01">
      &lt;<a href="?node=Node">Node</a> category="dns">
        &lt;location>Headquarters DMZ Network&lt;/location>
        &lt;name>analyzer01.bigcompany.com&lt;/name>
      &lt;/Node>
      &lt;<a href="?node=Process">Process</a>>
      &lt;/Process>
    &lt;/Analyzer>
    &lt;<a href="?node=CreateTime">CreateTime</a> ntpstamp="0xbc723b45.0xef449129">
         2000-03-09T10:01:25.93464-05:00
    &lt;/CreateTime>
    &lt;<a href="?node=DetectTime">DetectTime</a>>
    &lt;/DetectTime>
    &lt;<a href="?node=AnalyzerTime">AnalyzerTime</a>>
    &lt;/AnalyzerTime>
    &lt;Source ident="a1b2c3d4">
      &lt;<a href="?node=Node">Node</a> ident="a1b2c3d4-001" category="dns">
        &lt;name>badguy.hacker.net&lt;/name>
        &lt;<a href="?node=Address">Address</a> ident="a1b2c3d4-002" category="ipv4-net-mask">
          &lt;address>123.234.231.121&lt;/address>
          &lt;netmask>255.255.255.255&lt;/netmask>
        &lt;/Address>
      &lt;/Node>
User
Process
Service
    &lt;/Source>
    &lt;Target ident="d1c2b3a4">
      &lt;<a href="?node=Node">Node</a> ident="d1c2b3a4-001" category="dns">
        &lt;<a href="?node=Address">Address</a> category="ipv4-addr-hex">
          &lt;address>0xde796f70&lt;/address>
        &lt;/Address>
      &lt;/Node>
User
Process
Service
FileList
    &lt;/Target>
    &lt;<a href="?node=Classification">Classification</a> origin="bugtraqid">
      &lt;name>124&lt;/name>
      &lt;url>http://www.securityfocus.com&lt;/url>
    &lt;/Classification>
Assessment
  Impact
    &lt;<a href="?node=AdditionalData">AdditionalData</a> type="xml">
      &lt;VendorCo:NodeGeography VendorCo:node-ident="a1b2c3d4-001">
        &lt;VendorCo:latitude>38.89&lt;/VendorCo:latitude>
        &lt;VendorCo:longitude>-77.02&lt;/VendorCo:longitude>
      &lt;/VendorCo:NodeGeography>
    &lt;/AdditionalData>
  &lt;/Alert>

</pre>

