search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
432 stars 67 forks source link

Link to ET missing #109

Closed filippocarletti closed 5 years ago

filippocarletti commented 5 years ago

The link to the ET signature in the top right of an alert page is now a number (a counter) that links back to the inbox. Refreshing the page the number becomes an external link to doc.emergingthreats.net.

Steps to reproduce

  1. Click on an alert in the inbox page
  2. See the top right: it shows the number of rule hits
  3. Refresh the page (hit F5), the number becomes the link to the ET signature

EveBox 0.10.2.

First click on the alert from inbox: Screenshot from 2019-05-15 11-47-01

After page refresh:

Screenshot from 2019-05-15 11-47-15

jasonish commented 5 years ago

The ET link is not provided by EveBox itself, but some integration. Are you running EveBox on SELKS?

filippocarletti commented 5 years ago

No SELKS, it's EveBox fed by eve.json using sqlite.

jasonish commented 5 years ago

Can you provide your evebox.yaml? Maybe there is an event service defined in there for ET links.

filippocarletti commented 5 years ago 
data-directory: /var/lib/evebox

http:
  tls:
    enabled: false
  reverse-proxy: true

database:
  type: sqlite
  retention-period: 30

authentication:
  required: no

input:
  enabled: true
  filename: "/var/log/suricata/eve.json"

geoip:
  disabled: false

event-services:

  - type: custom
    enabled: true
    name: ET
    url: http://doc.emergingthreats.net/{{alert.signature_id}}
jasonish commented 5 years ago

Thanks for the report. My most recent commit fixes this issue and it will be in the development builds in the next few days.