Project

General

Profile

Bug #191

Group by user broken

Added by over 16 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Yoann VANDOORSELAERE
Target version:
0.9.9
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

Situation:
Multiple entries in a prewikka page with the IDMEF source user id attribute.
Selecting group by user generates a 500 server error

Prewikka 0.9.8/mod_python 3.1.3 Also tested without mod_python

Log attached

prewikka.log View - Apache log file (1.92 KB) , 01/09/2007 02:41 AM

History

#1 Updated by Yoann VANDOORSELAERE over 16 years ago

  • Status changed from New to Assigned

It seems like one of your sensor is generating alerts with USER objects containing no name and number information.

Are you able to consistently reproduce this problem? Could you detail the type of alert this is happening with? If possible, I'd like to see a textual dump of one such alert (use preludedb-admin print).

#2 Updated by over 16 years ago

Problem is consistently appearing. The rule that is causing the problem is written by me but I've also tested it with a wu-ftpd rule which causes the same problem.

Sensors is LML 0.9.7. I have just updated the system to 0.9.8.1. Rule is alerting on [[OpenVPN]] logins. Source info from dbadmin print below

analyzer(2):
name: [[OpenVPN]]
manufacturer: [[OpenVPN]]
class: Remote Login
node:
category: unknown (0)
name: host.name
address(0):
category: ipv4-addr (7)
address: 172.16.10.241
process:
name: openvpn
pid: 18983
create_time: 10/01/2007 08:33:52.245259 +13:00
classification:
text: Remote user logged in
detect_time: 10/01/2007 08:33:52.0 +13:00
analyzer_time: 10/01/2007 08:33:52.245313 +13:00
source(0):
spoofed: unknown (0)
node:
category: unknown (0)
address(0):
category: ipv4-addr (7)
address: 1.1.1.1
user:
category: os-device (2)
user_id(0):
type: current-user (1)
name: User_Name

#3 Updated by Yoann VANDOORSELAERE over 16 years ago

In order to reproduce your problem, please provide the rule as well as the log entry used to trigger the problem.

Additional note: please format your data (see [[WikiFormatting]]) when adding ticket comment.

#4 Updated by over 16 years ago 

#LOG:openvpnr19067: 210.246.24.124:1194 [User_Name] Peer Connection Initiated with 210.246.24.124:1194
regex=\[(\w+)\] Peer Connection Initiated with ([\d\.]+); \
 classification.text=Remote user logged in; \
 id=31000; \
 revision=1; \
 analyzer(0).name=OpenVPN; \
 analyzer(0).manufacturer=OpenVPN; \
 analyzer(0).class=Remote Login; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=$1 has logged in; \
 last

#5 Updated by Yoann VANDOORSELAERE over 16 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

(In r8770) Correctly set value_category depending on the IDMEF path. Don't add empty [[UserID]] the [[UserID]] list (fix #191).

#6 Updated by Yoann VANDOORSELAERE over 14 years ago

  • Project changed from PRELUDE SIEM to Prewikka
  • Category deleted (5)
  • Target version deleted (0.9.9)

Also available in: Atom PDF