Prelude Correlator: problem with unique in Event Sweep rule
When "unique: alert.target.node.address.address;" is in the [[EventSweep]] rule of the scan.rules file for Prelude Correlator, I get n/a in the Classification section of Prewikka. It is usually populated with something to the effect of:
Correlation Alert (30 alerts): A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability
When removing that chunk, everything works fine.
Correlator version 0.9.0-trunk-20070717
#1 Updated by Yoann VANDOORSELAERE over 12 years ago
- Status changed from New to Closed
- Resolution set to fixed
(In r10311) Implement IDMEF:getAnalyzerID(), allowing to retrieve the last
analyzerID in an analyzerID list. Make use of it in LUA rulesets.
Implement correct [[EventSweep]] unique target detection, fix #253.