Bug #253
Prelude Correlator: problem with unique in Event Sweep rule
Start date:
Due date:
% Done:
0%
Resolution:
fixed
Description
When "unique: alert.target.node.address.address;" is in the [[EventSweep]] rule of the scan.rules file for Prelude Correlator, I get n/a in the Classification section of Prewikka. It is usually populated with something to the effect of:
Correlation Alert (30 alerts): A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability
Eventsweep
When removing that chunk, everything works fine.
Correlator version 0.9.0-trunk-20070717
Libprelude 0.9.14
ScottO
History
#1 Updated by Yoann VANDOORSELAERE about 16 years ago
- Status changed from New to Closed
- Resolution set to fixed
(In r10311) Implement IDMEF:getAnalyzerID(), allowing to retrieve the last
analyzerID in an analyzerID list. Make use of it in LUA rulesets.
Implement correct [[EventSweep]] unique target detection, fix #253.
#2 Updated by Yoann VANDOORSELAERE almost 15 years ago
- Project changed from PRELUDE SIEM to Prelude Correlator
- Category deleted (
11)