Fabre

#1032433 prelude-correlator: Not performing correlations (probably because plugins errors) #1032433

Package:: prelude-correlator

Source:: prelude-correlator

Submitter:: Krzysztof Jastrzębski

Date:: 2023-03-06 17:45:04 UTC

Severity:: normal

#1032433#5

Date:: 2023-03-06 17:42:36 UTC

From:

To:

OS (up2date 2023.03.06): bookworm 6.1.0-5-amd64 #1 SMP PREEMPT_DYNAMIC
Debian 6.1.12-1 (2023-02-15) x86_64

Running prelude-correlator shows problems with Storm,Sweep,Scan and Worm
plugins:
***
preludecorrelator.pluginmanager: ERROR: [EventStormPlugin]: exception
occurred while running#012Traceback (most recent call last):#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 250, in run#012    plugin.run_safe(idmef)#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 58, in run_safe#012    self.run(idmef)#012  File
"//etc/prelude-correlator/rules/python/EventStormPlugin.py", line 34, in
run#012    source =
idmef.get("alert.source(*).node.address(*).address")#012
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/idmef.py", line 55, in
get#012    value = utils.flatten(value)#012
^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/utils.py", line 41, in
flatten#012    if isinstance(el, collections.Iterable) and not
isinstance(el, str):#012
^^^^^^^^^^^^^^^^^^^^#012AttributeError: module 'collections' has no
attribute 'Iterable'
preludecorrelator.pluginmanager: ERROR: [EventSweepPlugin]: exception
occurred while running#012Traceback (most recent call last):#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 250, in run#012    plugin.run_safe(idmef)#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 58, in run_safe#012    self.run(idmef)#012  File
"//etc/prelude-correlator/rules/python/EventSweepPlugin.py", line 35, in
run#012    source =
idmef.get("alert.source(*).node.address(*).address")#012
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/idmef.py", line 55, in
get#012    value = utils.flatten(value)#012
^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/utils.py", line 41, in
flatten#012    if isinstance(el, collections.Iterable) and not
isinstance(el, str):#012
^^^^^^^^^^^^^^^^^^^^#012AttributeError: module 'collections' has no
attribute 'Iterable'
preludecorrelator.pluginmanager: ERROR: [EventScanPlugin]: exception
occurred while running#012Traceback (most recent call last):#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 250, in run#012    plugin.run_safe(idmef)#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 58, in run_safe#012    self.run(idmef)#012  File
"//etc/prelude-correlator/rules/python/EventScanPlugin.py", line 32, in
run#012    source =
idmef.get("alert.source(*).node.address(*).address")#012
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/idmef.py", line 55, in
get#012    value = utils.flatten(value)#012
^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/utils.py", line 41, in
flatten#012    if isinstance(el, collections.Iterable) and not
isinstance(el, str):#012
^^^^^^^^^^^^^^^^^^^^#012AttributeError: module 'collections' has no
attribute 'Iterable'
preludecorrelator.pluginmanager: ERROR: [WormPlugin]: exception occurred
while running#012Traceback (most recent call last):#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 250, in run#012    plugin.run_safe(idmef)#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/pluginmanager.py",
line 58, in run_safe#012    self.run(idmef)#012  File
"//etc/prelude-correlator/rules/python/WormPlugin.py", line 46, in
run#012    for target in
idmef.get("alert.target(*).node.address(*).address"):#012
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/idmef.py", line 55, in
get#012    value = utils.flatten(value)#012
^^^^^^^^^^^^^^^^^^^^#012  File
"/usr/lib/python3/dist-packages/preludecorrelator/utils.py", line 41, in
flatten#012    if isinstance(el, collections.Iterable) and not
isinstance(el, str):#012
^^^^^^^^^^^^^^^^^^^^#012AttributeError: module 'collections' has no
attribute 'Iterable'
***

I am not sure if this is the main reason why correlations are not
performed at all.
Due to #996878 it's hard to tell if it worked before (in bullseye).

Under Centos-like distros, prelude-correlator works properly with this
packages from EPEL8:
prelude-correlator.x86_64            5.2.0-1.el8
python3-prelude-correlator.x86_64    5.2.0-1.el8

Expected behaviour: performing correlations without plugins errors.

#1032433 prelude-correlator: Not performing correlations (probably because plugins errors) #1032433

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)