Actions
Bug #1842
closedDuplicated analyzer in Prelude alert
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello,
We encountered a strange behavior since the changes done in #1634, where Prelude alerts have two analyzers named Suricata instead of one.
See the output of such an alert:
version: <empty>
alert:
messageid: 66ee2c8c-3ea3-11e6-bd8e
analyzer(0):
analyzerid: 3491814173832904
name: prelude-manager
manufacturer: http://www.prelude-siem.com
model: Prelude Manager
version: 3.0.0
class: Concentrator
ostype: Linux
osversion: 3.10.0-327.el7.x86_64
process:
name: prelude-manager
pid: 2537
path: /usr/bin/prelude-manager
analyzer(1):
analyzerid: 2704112876839258
name: suricata
manufacturer: http://www.openinfosecfoundation.org/
model: Suricata
version: 2.0.11
class: NIDS
ostype: Linux
osversion: 3.10.0-327.el7.x86_64
process:
name: <empty>
pid: 21587
analyzer(2):
manufacturer: http://www.openinfosecfoundation.org/
model: Suricata
version: 2.0.11
class: NIDS
create_time: 30/06/2016 11:17:00.885513 +02:00
classification:
ident: 1:2200074
text: SURICATA TCPv4 invalid checksum
detect_time: 30/06/2016 11:17:00.885147 +02:00
analyzer_time: 30/06/2016 11:17:00.885570 +02:00
source(0):
spoofed: unknown (0)
node:
category: unknown (0)
address(0):
category: ipv4-addr (7)
address: 172.25.35.101
service:
ip_version: 4
iana_protocol_number: 6
iana_protocol_name: tcp
port: 22
target(0):
decoy: unknown (0)
node:
category: unknown (0)
address(0):
category: ipv4-addr (7)
address: 10.25.201.159
service:
ip_version: 4
iana_protocol_number: 6
iana_protocol_name: tcp
port: 56036
assessment:
impact:
severity: low (2)
type: other (0)
Actions