[Solved] Prelude Correlator alerts - IDMEF

Added by Bob Mule over 8 years ago

Dear all,
Are the Correlator alerts stored in the same table as the other IDMEF alerts generated from Prelude LML and the Agent sensor API ?
I'm wondering how to distinguish them also from other alerts. In the Correlator code example, I see

thanks in advance for any help
Best, Bob

Replies (2)

RE: Prelude Correlator alerts - IDMEF - Added by Antoine LUONG over 8 years ago


Correlation alerts are stored in a specific table (Prelude_CorrelationAlert).
From the libprelude standpoint, you can distinguish correlation alerts from other IDMEF messages by looking at the "alert.correlation_alert" path and see if it is null or not.