Bug #2351
closedSuricata with alert-prelude option sending only one IDMEF message (not more).
Description
If one data packet matches more than one rules/signatures and thus generates more then one alert at the same time, then:
- suricata creates more alerts, as you can see in syslog or in fast.log or in alert-debug.log
- suricata sends only one IDMEF message (the last one) when configured with alert-prelude option
You can simulate this situation.:
- from remote station use 'curl http://X.X.X.X/CFIDE/administrator' command, where X.X.X.X is some web servere behind router with suricata
- suricata generates 2 alerts:
-- '[sid:2016184] ET WEB_SERVER ColdFusion administrator access', because accessing '/CFIDE/administrator' URI
-- '[sid:2013028] ET POLICY curl User-Agent Outbound', because using 'curl' as User-agent
- suricata send only 1 IDMEF message to prelude-manager - the last one 'ET POLICY curl User-Agent Outbound', NOT THE FIRST ONE.
Suricata version 3.2.1 frm Debian 9 Stretch distribution
Updated by Victor Julien about 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Jason Ish almost 3 years ago
- Related to Task #4668: Remove Prelude output added
Updated by Jason Ish almost 3 years ago
- Status changed from New to Rejected
Closing with status as rejected as Prelude support has been removed so this will not be fixed.