Bug #204
Not seeing all alerts in Prewikka
0%
Description
After upgrading to Prewikka 0.9.9 some of the alert grouping is not correct.
In 0.9.8 when grouping by classification.text in alert_listing the same classification alert on multiple sensors would list all of the sensors the event was detected on. In 0.9.9 Only 1 sensor is shown.
Also when there are two events with similar properties e.g. user authentication failed for the same user. the front end show 2x alerts, but when entering that event the alert_listing only shows the details for 1 of the events.
History
#1 Updated by Yoann VANDOORSELAERE over 16 years ago
- Status changed from New to Assigned
I am able to reproduce the first part of your report: only one of two analyzer of the same name but different node will show up.
The second part I am not able to reproduce, could you please provide me more details about this specific issue, and the exact settings you are using to reproduce it?
#2 Updated by over 16 years ago
Two alerts with the same classification.text but different assessment.impact.severity or assesment.impact.completion.
On the frontend it groups these alerts as similar but on entering the alert the filtering of assesment.impact.completion and assessment.impact.severity removes some of the results.
Hope that helps
#3 Updated by Yoann VANDOORSELAERE over 16 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
(In r8831) Correct handling of empty value for hash key generation. Fix #204.
#4 Updated by Yoann VANDOORSELAERE about 14 years ago
- Project changed from PRELUDE SIEM to Prewikka
- Category deleted (
5) - Target version deleted (
0.9.10)