Project

General

Profile

Actions

Bug #1842

closed

Duplicated analyzer in Prelude alert

Added by Antoine Luong about 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

We encountered a strange behavior since the changes done in #1634, where Prelude alerts have two analyzers named Suricata instead of one.

See the output of such an alert:

version: <empty>
alert:
        messageid: 66ee2c8c-3ea3-11e6-bd8e
        analyzer(0): 
                analyzerid: 3491814173832904
                name: prelude-manager
                manufacturer: http://www.prelude-siem.com
                model: Prelude Manager
                version: 3.0.0
                class: Concentrator
                ostype: Linux
                osversion: 3.10.0-327.el7.x86_64
                process:
                        name: prelude-manager
                        pid: 2537
                        path: /usr/bin/prelude-manager
        analyzer(1): 
                analyzerid: 2704112876839258
                name: suricata
                manufacturer: http://www.openinfosecfoundation.org/
                model: Suricata
                version: 2.0.11
                class: NIDS
                ostype: Linux
                osversion: 3.10.0-327.el7.x86_64
                process:
                        name: <empty>
                        pid: 21587
        analyzer(2): 
                manufacturer: http://www.openinfosecfoundation.org/
                model: Suricata
                version: 2.0.11
                class: NIDS
        create_time: 30/06/2016 11:17:00.885513 +02:00
        classification:
                ident: 1:2200074
                text: SURICATA TCPv4 invalid checksum
        detect_time: 30/06/2016 11:17:00.885147 +02:00
        analyzer_time: 30/06/2016 11:17:00.885570 +02:00
        source(0): 
                spoofed: unknown (0)
                node:
                        category: unknown (0)
                        address(0): 
                                category: ipv4-addr (7)
                                address: 172.25.35.101
                service:
                        ip_version: 4
                        iana_protocol_number: 6
                        iana_protocol_name: tcp
                        port: 22
        target(0): 
                decoy: unknown (0)
                node:
                        category: unknown (0)
                        address(0): 
                                category: ipv4-addr (7)
                                address: 10.25.201.159
                service:
                        ip_version: 4
                        iana_protocol_number: 6
                        iana_protocol_name: tcp
                        port: 56036
        assessment:
                impact:
                        severity: low (2)
                        type: other (0)
Actions #1

Updated by Victor Julien about 5 years ago

  • Assignee set to Anonymous
Actions #2

Updated by Antoine Luong about 5 years ago

The following patch seems to fix the problem:

diff --git a/src/alert-prelude.c b/src/alert-prelude.c
index 1a7b268..d42367f 100644
--- a/src/alert-prelude.c
+++ b/src/alert-prelude.c
@@ -635,6 +635,7 @@ static int PreludePrintStreamSegmentCallback(const Packet *p, void *data, uint8_
  */
 static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data)
 {
+    int ret;
     AlertPreludeThread *aun;

     SCEnter();
@@ -654,7 +655,8 @@ static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data
     aun->ctx = ((OutputCtx *)initdata)->data;

     /* Create a per-thread idmef analyzer */
-    if (unlikely(idmef_analyzer_new(&aun->analyzer) < 0)) {
+    ret = idmef_analyzer_clone(prelude_client_get_analyzer(aun->ctx->client), &aun->analyzer);
+    if (unlikely(ret < 0)) {
         SCLogError(SC_ERR_INITIALIZATION,
                    "Error creating idmef analyzer for Prelude.");

@@ -662,16 +664,6 @@ static TmEcode AlertPreludeThreadInit(ThreadVars *t, void *initdata, void **data
         SCReturnInt(TM_ECODE_FAILED);
     }

-    /* Setup the per-thread idmef analyzer */
-    if (unlikely(SetupAnalyzer(aun->analyzer) < 0)) {
-        SCLogError(SC_ERR_INITIALIZATION,
-                   "Error configuring idmef analyzer for Prelude.");
-
-        idmef_analyzer_destroy(aun->analyzer);
-        SCFree(aun);
-        SCReturnInt(TM_ECODE_FAILED);
-    }
-

Regards

Actions #3

Updated by Andreas Herz about 5 years ago

  • Target version set to TBD
Actions #4

Updated by Victor Julien about 3 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 4.1beta1
Actions #5

Updated by Victor Julien about 3 years ago

  • Assignee changed from Anonymous to Antoine Luong
Actions

Also available in: Atom PDF