[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-user
Subject:    [prelude-user] prewikka filters question
From:       bjoern.weiland () web ! de (Bjoern Weiland)
Date:       2007-09-01 9:02:25
Message-ID: 46D92AA1.7080607 () web ! de
[Download RAW message or body]

> This is a libpreludedb specific limitation (you won't notice the same
> behavior when using IDMEF-Criteria in non database context -
> Prelude-Manager for example - since (recent) libprelude can handle those
> query with more flexibility).

but if i set up the following IDMEF filter in the manager's conf:

[idmef-criteria]
rule = alert.classification.text != 'Malware submitted'
rule = alert.assessment.impact.severity == 'high'
hook = TextMod[default]


the first alert i got was:

********************************************************************************
* Alert: ident=52730502127302
* Classification ident: 20
* Classification text: Malware submitted
* Reference origin: vendor-specific
* Reference name:
--- snip ---

although i DONT want any "Malware submitted" alert, as stated in the
idmef-criteria...
The severity rule seems to work, i only get high severity alerts, but i
do get "Malware submitted"

 -regards, bjoern

[prev in list] [next in list] [prev in thread] [next in thread]