Link to ET missing

[filippocarletti]

The link to the ET signature in the top right of an alert page is now a number (a counter) that links back to the inbox. Refreshing the page the number becomes an external link to doc.emergingthreats.net.

Steps to reproduce

1. Click on an alert in the inbox page
2. See the top right: it shows the number of rule hits
3. Refresh the page (hit F5), the number becomes the link to the ET signature

EveBox 0.10.2.

First click on the alert from inbox:

After page refresh:

[jasonish]

The ET link is not provided by EveBox itself, but some integration. Are you running EveBox on SELKS?

[filippocarletti]

No SELKS, it's EveBox fed by eve.json using sqlite.

[jasonish]

Can you provide your evebox.yaml? Maybe there is an event service defined in there for ET links.

[filippocarletti]

data-directory: /var/lib/evebox

http:
  tls:
    enabled: false
  reverse-proxy: true

database:
  type: sqlite
  retention-period: 30

authentication:
  required: no

input:
  enabled: true
  filename: "/var/log/suricata/eve.json"

geoip:
  disabled: false

event-services:

  - type: custom
    enabled: true
    name: ET
    url: http://doc.emergingthreats.net/{{alert.signature_id}}

[jasonish]

Thanks for the report. My most recent commit fixes this issue and it will be in the development builds in the next few days.