[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-user
Subject: [prelude-user] prewikka filters question
From: bjoern.weiland () web ! de (Bjoern Weiland)
Date: 2007-09-01 9:02:25
Message-ID: 46D92AA1.7080607 () web ! de
[Download RAW message or body]
> This is a libpreludedb specific limitation (you won't notice the same
> behavior when using IDMEF-Criteria in non database context -
> Prelude-Manager for example - since (recent) libprelude can handle those
> query with more flexibility).
but if i set up the following IDMEF filter in the manager's conf:
[idmef-criteria]
rule = alert.classification.text != 'Malware submitted'
rule = alert.assessment.impact.severity == 'high'
hook = TextMod[default]
the first alert i got was:
********************************************************************************
* Alert: ident=52730502127302
* Classification ident: 20
* Classification text: Malware submitted
* Reference origin: vendor-specific
* Reference name:
--- snip ---
although i DONT want any "Malware submitted" alert, as stated in the
idmef-criteria...
The severity rule seems to work, i only get high severity alerts, but i
do get "Malware submitted"
-regards, bjoern
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic