Dashboard 0.8.3 and Beyond, "Easy Rule" & FW Log Summary Graphs

jimp

Just pushed Dashboard 0.8.2 with a couple exciting new features.

#1: Firewall Log Summary Graphs - very cool :)

#2: Firewall Log filtering - There is a text box at the bottom of the firewall log that may be used to filter the results

AhnHEL

Great work Jimp!

Loving all the improvements and added features.

jimp

I put up 0.8.3 last night, main thing is just a bug fix for the summary graphs but it was a big one, the data sets weren't being populated properly, so the graphs were wildly incorrect.

Should be OK now.

jimp

@grandrivers:

will some of this get commited to 2.0?
that would be cool

FYI, this should all be in 2.0 now. I checked it in over the weekend.

serialdie

jimp,

One of the main futures I use from the dashboard is the Snort alert widget.
The login from snort change in the last build and broke the ability of the dashboard snort widgets to work.

Can you look in to it?

Thank You!

jimp

I'll see what I can do, but it may be a while before I can get to this. I don't know that I have snort up and running on any of my testing systems.

Do the alerts not show up at all?

Hopefully it's just something simple like the path to the log file changing…

serialdie

Actually is just a new option that Snort has… If you enable Full login it will fully change the way it logs...
Here is an example:

The new way:

[ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] 
[ Classification: Executable code was detected ] [ Priority: 1 ] 
06/09-17:53:02.354113 76.13.218.11:80 -> 98.199.248.92:46980
TCP TTL:49 TOS:0x20 ID:63898 IpLen:20 DgmLen:1053 DF
AP Seq: 0x89245C0C Ack: 0xB5E7090E Win: 0x2DA0 TcpLen: 20

The old way:

06/09-18:07:07.870063 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.222.11:80 -> 98.199.248.92:18772

But I did not notice that it was enabling the full login that broke it… I got it working again by disabling the full login option.

Thanks!

jimp

Probably best to leave things as they are then, rather than try to write up two different log parsers. As long as that solution is documented somewhere it should work out.

tester_02

@serialdie:

But I did not notice that it was enabling the full login that broke it… I got it working again by disabling the full login option.

Thanks!

Where is the option to disable that option?????

matrix200

Yeah I also would like to know how to disable full logging.
After the last upgrade I have the same issue here (not working with dashboard and look different in snort logs tab).

Ok I still don't know how to do that via the gui but I modified snort.conf by replacing
output alert_full: alert
with
output alert_fast: alert
and then restarted snort.
That did the trick.