Suppose that you want to establish a correlation composed by multiple layers of abstraction, for example n levels of abstraction with m components in the first layer (base level), i in the second layer (more abstract level) , ... , j in the n-th layer (most abstract level).
Prelude Correlator is based on plugins. With each plugin, you can write your own correlation rule and send correlation alerts (IDMEF messages). When you generate a correlation alert, it is sent to Prelude Manager and also to the other plugins running in your Prelude Correlator instance. This is a simple approach to make multi-layer correlation. Just consider a plugin as a member of a layer of correlation, in this case you can build m plugins to process the first layer, i plugins to process the second layer , ... , j plugins to process the n-th layer.
That's it, to generate a correlation alert and send it to Prelude Manager and the other plugins in your Prelude Correlator instance, just call the alert method provided by IDMEF or, if you want to use ContextHelper, call the method generateCorrelationAlert.
To begin, two examples of entry and advanced plugins are provided (EntryLevelCorrelator, AdvancedLevelCorrelator).