[prelude-correlator] alert is not triggered when receiving continuous logs in a context
Added by Marcus Smith over 5 years ago
Hello,
The detected issue is described at
https://www.prelude-siem.org/boards/1/topics/218.
To sum up, it seems that in order to raise an alert, two conditions must be fullfiled:
1. the expire (time) of the context ran out
2. the threshold reaches the limit value
So, in a use case when I'm receiving continuous logs, despite the threshold is reached, the timer would be reset continuosly and the alert will not be triggered until we stop receiving logs (I tested it). And that supposes that I won't notice that I'm receiving an EventStorm for example until it ended.
So there are two options to solve this issue:
1. Avoid the timer reset each time a new context is called/updated
Changing ctx = search(name, idmef, update=True) to ctx = search(name, idmef, update=False) at the new function
2. Trigger an alert when a context reaches the threshold value, regardless the expire value. (I didn't analyze where this process takes place)
Replies (2)
RE: [prelude-correlator] alert is not triggered when receiving continuous logs in a context - Added by Antoine LUONG over 5 years ago
Maybe we should have an additional threshold causing the alert to be sent regardless of the timer when reached.
RE: [prelude-correlator] alert is not triggered when receiving continuous logs in a context - Added by Antoine LUONG about 5 years ago
This behavior will change in 5.1.0.