Bug #253: Prelude Correlator: problem with unique in Event Sweep rule - Prelude Correlator - UNITY 360

Bug #253

Prelude Correlator: problem with unique in Event Sweep rule

Added by skippylou-gmail-com - over 16 years ago. Updated almost 15 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Yoann VANDOORSELAERE

Target version:

Start date:

Due date:

% Done:

Resolution:

fixed

Description

When "unique: alert.target.node.address.address;" is in the [[EventSweep]] rule of the scan.rules file for Prelude Correlator, I get n/a in the Classification section of Prewikka. It is usually populated with something to the effect of:

Correlation Alert (30 alerts): A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability
Eventsweep

When removing that chunk, everything works fine.

Correlator version 0.9.0-trunk-20070717
Libprelude 0.9.14

ScottO

History

#1 Updated by Yoann VANDOORSELAERE about 16 years ago

Status changed from New to Closed
Resolution set to fixed

(In r10311) Implement IDMEF:getAnalyzerID(), allowing to retrieve the last
analyzerID in an analyzerID list. Make use of it in LUA rulesets.
Implement correct [[EventSweep]] unique target detection, fix #253.

#2 Updated by Yoann VANDOORSELAERE almost 15 years ago

Project changed from PRELUDE SIEM to Prelude Correlator
Category deleted (11)

Also available in: Atom PDF

Project

General

Profile

Issues

Bug #253

Prelude Correlator: problem with unique in Event Sweep rule

History

#1 Updated by Yoann VANDOORSELAERE about 16 years ago

#2 Updated by Yoann VANDOORSELAERE almost 15 years ago