UNITY 360: Issueshttp://www.prelude-siem.org/http://www.prelude-siem.org/welcome/themes/prelude/favicon/Prelude-icon.png2008-06-30T13:48:32ZUNITY 360
Redmine Prelude Correlator - Bug #295 (Closed): Ocasional LUA error messagehttp://www.prelude-siem.org/issues/2952008-06-30T13:48:32ZYoann VANDOORSELAERE
<pre>
ERROR: LUA error on 'firewall': /etc/prelude-correlator/lua-rules/firewall.lua:35: attempt to index local 'result' (a nil value). (lua.c:148 lua_run)
</pre>
<p>This seems to happen when using the IDMEF:get() method using 2 wiki:IDMEFPath arguments (1, 3 or more work).</p> Prelude-LML - Bug #214 (New): Invalid classification reference in several LML rulesetshttp://www.prelude-siem.org/issues/2142007-04-03T17:37:44ZYoann VANDOORSELAERE
<p>Some LML rulesets are missing an "url" field for the Classification Reference. IDMEF specify that the "url" member of a Reference has to be specified.</p>
Example of such rulesets are:
<ul>
<li>cisco-vpn.rules</li>
<li>cisco-css.rules</li>
</ul> Prelude-LML - Bug #213 (New): LML rulesets should be updated to use IDMEF Actionhttp://www.prelude-siem.org/issues/2132007-04-03T17:31:44ZYoann VANDOORSELAERE
<p>Current rulesets (except modsecurity) does not make use of the IDMEF Action class.</p>
<pre>
4.2.6.2. The Action Class
The Action class is used to describe any actions taken by the
analyzer in response to the event.
category
The type of action taken. The permitted values are shown below.
The default value is "other". (See also Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | block-installed | A block of some sort was installed to |
| | | prevent an attack from reaching its |
| | | destination. The block could be a |
| | | port block, address block, etc., or |
| | | disabling a user account. |
| | | |
| 1 | notification-sent | A notification message of some sort |
| | | was sent out-of-band (via pager, |
| | | e-mail, etc.). Does not include the |
| | | transmission of this alert. |
| | | |
| 2 | taken-offline | A system, computer, or user was taken |
| | | offline, as when the computer is shut |
| | | down or a user is logged off. |
| | | |
| 3 | other | Anything not in one of the above |
| | | categories. |
+------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual
description of the action, if the analyzer is able to provide
additional details.
</pre> Prelude Manager - Bug #196 (Closed): XML output corruptionhttp://www.prelude-siem.org/issues/1962007-02-05T13:45:21ZYoann VANDOORSELAERE
<p>There is a corruption issue with Prelude-Manager XMLmod output. The problem happen independently from the XML output method.</p>
<p>Example of corruption:<br /><pre>
<AdditionalData type="byte-string" meaning="payload"<IDMEF-Message><Heartbeat>
</pre></p> Prelude Correlator - Bug #141 (Closed): Support for setting multiple context at once from multipl...http://www.prelude-siem.org/issues/1412006-04-01T00:35:53ZYoann VANDOORSELAERE
<p>Support need to be implemented so that it is possible to retrieve list of IDMEF value and assign multiple context for each retrieved value. For example, we might want to create multiple address context out of the content of alert.source(<strong>).node.address(</strong>).address.</p>
<p>When retrieving such an object, the IDMEF value API should be used in order to iterate the returned idmef_value_t object. We should then be able to bind these value to a specific action (in the example ahead $1* would mean to replicate the create action for each value contained in $1).</p>
<pre>
pattern = alert.source(*).node.address(*).address: (.*);
action = create TARGET_ADDRESS_$1*;
</pre>
<p>For example, if the resulting IDMEF value contain x.x.x.x and y.y.y.y, the action should expand to:</p>
<pre>
create TARGET_ADDRESS_x.x.x.x;
create TARGET_ADDRESS_y.y.y.y;
</pre> Prelude-LML - Bug #109 (Closed): Fix Prelude-LML static compilationhttp://www.prelude-siem.org/issues/1092005-11-18T09:00:32ZYoann VANDOORSELAERE
<p>Compiling Prelude-LML statically with FAM support enabled fail with undefined references.</p> Prelude-LML - Bug #108 (Closed): Target Node remain empty when using --no-resolvehttp://www.prelude-siem.org/issues/1082005-11-18T08:56:10ZYoann VANDOORSELAERE
<p>Ideally, when the user specify that he doesn't want DNS lookup, the raw target hostname should be set without further lookup operation to get target information.</p> Prewikka - Bug #49 (Closed): Do not rely on ident to get the latest alert/heartbeathttp://www.prelude-siem.org/issues/492004-10-28T19:01:50ZYoann VANDOORSELAERE
<p>Currently, Prewikka consider the heartbeat in database with the highest ident to be the last heartbeat that has been added to the database. This is wrong since the ident allocation scheme drasticaly changed, and even through ident are unique, it shouldn't be assumed that there number is increasing incrementaly. Moreover this specificity is not described by the IDMEF standard and would result in incorrect behavior with other IDMEF database implementation.</p>
<p>In order to get the latest heartbeat in database, Prewikka should rely on the create_time field contained within the heartbeat.</p> Prewikka - Bug #48 (Closed): Additional data of type 'byte' dumped incorrectly.http://www.prelude-siem.org/issues/482004-10-28T18:57:57ZYoann VANDOORSELAERE
<p>Currently, Prewikka simply print the content of additional data without taking care of the 'type' of the data represented.</p>
<p>Typically, in case theses data are raw byte, Prewikka should issue two dump of the data:<br />- An ASCII dump of the printable byte.<br />- An hexadecimal dump of the whole data.</p> Prelude-LML - Bug #46 (Closed): lml rely on un-portable strptime behavior.http://www.prelude-siem.org/issues/462004-07-23T18:07:48ZYoann VANDOORSELAERE
<p>It is not specified whether strptime will modify the member of a localtime struct when theses member are not matched by the format string. This, for example result in a bug on Solaris 7.</p> Libprelude - Bug #40 (Closed): Use pointer for optionnal idmef_string_t.http://www.prelude-siem.org/issues/402004-07-14T18:30:51ZYoann VANDOORSELAERE
<p>Optionnal IDMEF string field should be referenced by their IDMEF parent through a pointer, and not directly 'hard coded' within the parent.</p> LibpreludeDB - Bug #37 (Closed): Handling of idmef_time_t in libpreludedbhttp://www.prelude-siem.org/issues/372004-07-05T22:29:25ZYoann VANDOORSELAERE
<p>idmef_time_t has been modified so that the time reported by sensor is UTC, and a sensor specific GMT offset is provided in case the user want to sort alert by the sensor specific timezone.</p>
<p>This modification has to be implemented in libpreludedb: the GMT offset of the sensor should be stored in the database.</p> LibpreludeDB - Bug #36 (Closed): Introduce a backward compatible version of 'classic' database pl...http://www.prelude-siem.org/issues/362004-07-05T22:22:38ZYoann VANDOORSELAERE
<p>A version of classic compatible with existing 0-8 databases should be re-introduced in libpreludedb. This plugin don't have to support writing to the database as some of the recent IDMEF structure changes make this impossible. It would be interesting to add two new libpreludedb plugin flags: a capability flags (read/write), plus a version flags (classic 0.8/0.9).</p> LibpreludeDB - Bug #35 (Closed): Handle analyzer chaining insertion/selectionhttp://www.prelude-siem.org/issues/352004-07-05T22:19:00ZYoann VANDOORSELAERE
<p>Analyzer chaining is not supported in libpreludedb yet.</p> Libprelude - Bug #27 (Closed): Implementation of failover quotashttp://www.prelude-siem.org/issues/272004-06-12T17:41:58ZYoann VANDOORSELAERE
<p>One should be able to limit the number of alert written to the hard disk. In the case where a quota is specified and we have to drop alert, older alert should be the one to be deleted.</p>