Project

General

Profile

Actions

Bug #2351

closed

Suricata with alert-prelude option sending only one IDMEF message (not more).

Added by Ondřej Macháček over 6 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If one data packet matches more than one rules/signatures and thus generates more then one alert at the same time, then:
- suricata creates more alerts, as you can see in syslog or in fast.log or in alert-debug.log
- suricata sends only one IDMEF message (the last one) when configured with alert-prelude option

You can simulate this situation.:
- from remote station use 'curl http://X.X.X.X/CFIDE/administrator' command, where X.X.X.X is some web servere behind router with suricata
- suricata generates 2 alerts:
-- '[sid:2016184] ET WEB_SERVER ColdFusion administrator access', because accessing '/CFIDE/administrator' URI
-- '[sid:2013028] ET POLICY curl User-Agent Outbound', because using 'curl' as User-agent
- suricata send only 1 IDMEF message to prelude-manager - the last one 'ET POLICY curl User-Agent Outbound', NOT THE FIRST ONE.

Suricata version 3.2.1 frm Debian 9 Stretch distribution


Related issues 1 (0 open1 closed)

Related to Suricata - Task #4668: Remove Prelude outputClosedJason IshActions
Actions

Also available in: Atom PDF