Bug #332

Error about missing arguments in prelude-correlator lua ruleset

Added by over 15 years ago. Updated about 15 years ago.

Target version:
Start date:
Due date:
% Done:




The warning :

prelude prelude-correlator: ERROR: LUA error on 'business_hour': /etc/prelude-correlator/lua-rules/business-hour.lua:31: set(): require 3 arguments, got
2. (lua.c:148 lua_run)

Looking at other lua ruletset, set() only got 2 arguments ...


#1 Updated by Yoann VANDOORSELAERE over 15 years ago

Thanks for reporting this issue, could you please let us know the prelude-correlator version being used?

#2 Updated by over 15 years ago

prelude correlator 0.9.0-beta3 on RHEL 5.2 with latest libprelude et libpreludedb.


#3 Updated by Yoann VANDOORSELAERE over 15 years ago

Could you check that the currently installed rule look like the following:

function business_hour(INPUT)

local t = INPUT:get("alert.create_time")
local is_succeeded = INPUT:match("alert.assessment.impact.completion", "succeeded")

-- Run this code only on saturday (1) and sunday (6), or from 6:00pm to 9:00am.
if is_succeeded and (t.wday == 1 or t.wday == 6 or t.hour < 9 or t.hour > 18) then
        local ca =

        ca:set("alert.source", INPUT:getraw("alert.source"))
        ca:set("", INPUT:getraw(""))
        ca:set("alert.classification", INPUT:getraw("alert.classification"))
        ca:set("alert.correlation_alert.alertident(>>).alertident", INPUT:getraw("alert.messageid"))
        ca:set("alert.correlation_alert.alertident(-1).analyzerid", INPUT:getAnalyzerid())
        ca:set("", "Critical system activity on day off")


#4 Updated by over 15 years ago


Yes it does.

#5 Updated by Yoann VANDOORSELAERE over 15 years ago

I am not able to reproduce the problem here. What LUA version are you using?

#6 Updated by over 15 years ago


This package on RHEL 5.2.

For the moment, I can't investigate further (correlation is not the priority at the moment) but when i will be working on it full time after posting patches for Fortinet and [[NetScreen]] ruleset for prelule-lml, I will post further information after the debug session.


#7 Updated by over 15 years ago

I'm seeing the same thing, except I'm running prelude-correlator on Fedora 10, using the Fedora packages.

#8 Updated by over 15 years ago

After looking at the source code it seems to me that the problem is actually in IDMEF_getraw. There are circumstances where IDMEF_getraw can return zero values on the stack, thereby causing what looks like:

ca:set("alert.source", INPUT:getraw("alert.source"))

to execute like it's:


I haven't tested it yet, but changing IDMEF_getraw so that it returns a Lua nil value if idmef_path_get returns zero values should fix things up:

diff --git a/plugins/lua/lua-idmef.c b/plugins/lua/lua-idmef.c
index ebde74a..09e82c9 100644
--- a/plugins/lua/lua-idmef.c
+++ b/plugins/lua/lua-idmef.c
@@ -320,8 +320,10 @@ static int IDMEF_getraw(lua_State *lstate)
                 return -1;

-        if ( ret == 0 )
-                return 0;
+        if ( ret == 0 ) {
+                lua_pushnil(lstate);
+                return 1;
+        }

         pushIDMEFValue(lstate, value);
         return 1;

#9 Updated by over 15 years ago

I've added the above patch to my prelude-correlator install and it seems to be working.

#10 Updated by Yoann VANDOORSELAERE about 15 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Thanks for the patch ! It has been applied in changeset r11109.

#11 Updated by Yoann VANDOORSELAERE about 15 years ago

  • Project changed from PRELUDE SIEM to Prelude Correlator
  • Category deleted (11)
  • Target version deleted (91)

Also available in: Atom PDF