Actions
Bug #1842
closedDuplicated analyzer in Prelude alert
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello,
We encountered a strange behavior since the changes done in #1634, where Prelude alerts have two analyzers named Suricata instead of one.
See the output of such an alert:
version: <empty>
alert:
messageid: 66ee2c8c-3ea3-11e6-bd8e
analyzer(0):
analyzerid: 3491814173832904
name: prelude-manager
manufacturer: http://www.prelude-siem.com
model: Prelude Manager
version: 3.0.0
class: Concentrator
ostype: Linux
osversion: 3.10.0-327.el7.x86_64
process:
name: prelude-manager
pid: 2537
path: /usr/bin/prelude-manager
analyzer(1):
analyzerid: 2704112876839258
name: suricata
manufacturer: http://www.openinfosecfoundation.org/
model: Suricata
version: 2.0.11
class: NIDS
ostype: Linux
osversion: 3.10.0-327.el7.x86_64
process:
name: <empty>
pid: 21587
analyzer(2):
manufacturer: http://www.openinfosecfoundation.org/
model: Suricata
version: 2.0.11
class: NIDS
create_time: 30/06/2016 11:17:00.885513 +02:00
classification:
ident: 1:2200074
text: SURICATA TCPv4 invalid checksum
detect_time: 30/06/2016 11:17:00.885147 +02:00
analyzer_time: 30/06/2016 11:17:00.885570 +02:00
source(0):
spoofed: unknown (0)
node:
category: unknown (0)
address(0):
category: ipv4-addr (7)
address: 172.25.35.101
service:
ip_version: 4
iana_protocol_number: 6
iana_protocol_name: tcp
port: 22
target(0):
decoy: unknown (0)
node:
category: unknown (0)
address(0):
category: ipv4-addr (7)
address: 10.25.201.159
service:
ip_version: 4
iana_protocol_number: 6
iana_protocol_name: tcp
port: 56036
assessment:
impact:
severity: low (2)
type: other (0)
Updated by Antoine Luong over 8 years ago
The following patch seems to fix the problem:
diff --git a/src/alert-prelude.c b/src/alert-prelude.c
index 1a7b268..d42367f 100644
--- a/src/alert-prelude.c
+++ b/src/alert-prelude.c
@@ -635,6 +635,7 @@ static int PreludePrintStreamSegmentCallback(const Packet *p, void *data, uint8_
*/
static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
{
+ int ret;
AlertPreludeThread *aun;
SCEnter();
@@ -654,7 +655,8 @@ static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data
aun->ctx = ((OutputCtx *)initdata)->data;
/* Create a per-thread idmef analyzer */
- if (unlikely(idmef_analyzer_new(&aun->analyzer) < 0)) {
+ ret = idmef_analyzer_clone(prelude_client_get_analyzer(aun->ctx->client), &aun->analyzer);
+ if (unlikely(ret < 0)) {
SCLogError(SC_ERR_INITIALIZATION,
"Error creating idmef analyzer for Prelude.");
@@ -662,16 +664,6 @@ static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data
SCReturnInt(TM_ECODE_FAILED);
}
- /* Setup the per-thread idmef analyzer */
- if (unlikely(SetupAnalyzer(aun->analyzer) < 0)) {
- SCLogError(SC_ERR_INITIALIZATION,
- "Error configuring idmef analyzer for Prelude.");
-
- idmef_analyzer_destroy(aun->analyzer);
- SCFree(aun);
- SCReturnInt(TM_ECODE_FAILED);
- }
-
Regards
Updated by Victor Julien over 6 years ago
- Status changed from New to Closed
- Target version changed from TBD to 4.1beta1
Updated by Victor Julien over 6 years ago
- Assignee changed from Anonymous to Antoine Luong
Actions