Created attachment 331127 [details] Return nil from IDMEF_getraw if idmef_path_get returns 0 IDMEF_getraw can sometimes return zero results on the Lua stack, which essentialy turns this call: ca:set("alert.source", INPUT:getraw("alert.source")) into: ca:set("alert.source") That causes an error because the IDMEF_set method is expecting 3 arguments (self, path, value): prelude-correlator: ERROR: LUA error on 'business_hour': /etc/prelude-correlator/lua-rules/business-hour.lua:31: set(): require 3 arguments, got 2. (lua.c:148 lua_run) Changing IDMEF_getraw so that it returns nil where previously it would return nothing seems to fix the problem for me. I've attached a patch with the fix. This has been reported upstream as ticket #332: https://trac.prelude-ids.org/ticket/332
Thanks for reporting this. But I am subscribed to the prelude mail lists and saw the bug reports. I am also in contact with the upstream developers frequently. I'll apply the upstream patch when Yoann agrees to the fix and if he does not release a new update soon.
prelude-correlator-0.9.0-0.5.beta3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/prelude-correlator-0.9.0-0.5.beta3.fc10
The patch attached to this bz was applied and a new package was built. It should be in the updates-testing repo soon.
prelude-correlator-0.9.0-0.5.beta3.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update prelude-correlator'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2259
prelude-correlator-0.9.0-0.5.beta3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.