Project

General

Profile

Actions

Bug #2351

closed

Suricata with alert-prelude option sending only one IDMEF message (not more).

Added by Ondřej Macháček over 6 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If one data packet matches more than one rules/signatures and thus generates more then one alert at the same time, then:
- suricata creates more alerts, as you can see in syslog or in fast.log or in alert-debug.log
- suricata sends only one IDMEF message (the last one) when configured with alert-prelude option

You can simulate this situation.:
- from remote station use 'curl http://X.X.X.X/CFIDE/administrator' command, where X.X.X.X is some web servere behind router with suricata
- suricata generates 2 alerts:
-- '[sid:2016184] ET WEB_SERVER ColdFusion administrator access', because accessing '/CFIDE/administrator' URI
-- '[sid:2013028] ET POLICY curl User-Agent Outbound', because using 'curl' as User-agent
- suricata send only 1 IDMEF message to prelude-manager - the last one 'ET POLICY curl User-Agent Outbound', NOT THE FIRST ONE.

Suricata version 3.2.1 frm Debian 9 Stretch distribution


Related issues 1 (0 open1 closed)

Related to Suricata - Task #4668: Remove Prelude outputClosedJason IshActions
Actions #1

Updated by Victor Julien over 6 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #2

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions #3

Updated by Andreas Herz over 4 years ago

Can you still reproduce that?

Actions #4

Updated by Jason Ish about 2 years ago

  • Related to Task #4668: Remove Prelude output added
Actions #5

Updated by Jason Ish about 2 years ago

  • Status changed from New to Rejected

Closing with status as rejected as Prelude support has been removed so this will not be fixed.

Actions

Also available in: Atom PDF