Project

General

Profile

Bug #253

Prelude Correlator: problem with unique in Event Sweep rule

Added by skippylou-gmail-com - over 12 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

When "unique: alert.target.node.address.address;" is in the [[EventSweep]] rule of the scan.rules file for Prelude Correlator, I get n/a in the Classification section of Prewikka. It is usually populated with something to the effect of:

Correlation Alert (30 alerts): A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability
Eventsweep

When removing that chunk, everything works fine.

Correlator version 0.9.0-trunk-20070717
Libprelude 0.9.14

ScottO

History

#1 Updated by Yoann VANDOORSELAERE almost 12 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r10311) Implement IDMEF:getAnalyzerID(), allowing to retrieve the last
analyzerID in an analyzerID list. Make use of it in LUA rulesets.
Implement correct [[EventSweep]] unique target detection, fix #253.

#2 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to Prelude Correlator
  • Category deleted (11)

Also available in: Atom PDF