Project

General

Profile

[prelude-correlator] alert is not triggered when receiving continuous logs in a context

Added by Marcus Smith about 5 years ago

Hello,

The detected issue is described at

https://www.prelude-siem.org/boards/1/topics/218.

To sum up, it seems that in order to raise an alert, two conditions must be fullfiled:

1. the expire (time) of the context ran out
2. the threshold reaches the limit value

So, in a use case when I'm receiving continuous logs, despite the threshold is reached, the timer would be reset continuosly and the alert will not be triggered until we stop receiving logs (I tested it). And that supposes that I won't notice that I'm receiving an EventStorm for example until it ended.

So there are two options to solve this issue:

1. Avoid the timer reset each time a new context is called/updated

Changing ctx = search(name, idmef, update=True) to ctx = search(name, idmef, update=False) at the new function

2. Trigger an alert when a context reaches the threshold value, regardless the expire value. (I didn't analyze where this process takes place)


Replies (2)

RE: [prelude-correlator] alert is not triggered when receiving continuous logs in a context - Added by Antoine LUONG almost 5 years ago

Maybe we should have an additional threshold causing the alert to be sent regardless of the timer when reached.

    (1-2/2)