Dashboard Snort Alert Not Working.
-
The Dashboard Snort widget does not work for me in embedded 1.2.3
Is any body using it and is working for them?TIA!
-
If you have the checkbox set to turn snort alerts into clickable links, you don't get the short-format logs that the widget parser needs.
That was the issue last time I reinstalled the package, anyhow.
-
I have the same problem,… fresh install and snort is working, no alert and no blocked ip (i have try with grc.com).
What is the problem,... what can i do to fix this?
-
If you have the checkbox set to turn snort alerts into clickable links, you don't get the short-format logs that the widget parser needs.
That was the issue last time I reinstalled the package, anyhow.
jimp,
No I dont have that enable I am just simply not getting alerts…. The alerts are been generated in the alerts tab but not going to the dash board...
I have fast loging enable and here is an example of the alerts...[ ** ] [ 1:15362:1 ] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [ ** ]Â
[ Classification: Misc activity ] [ Priority: 3 ]Â
12/24-23:14:14.289579 69.64.6.21:80 -> 98.194.134.87:10714
TCP TTL:50 TOS:0x20 ID:42160 IpLen:20 DgmLen:1500 DF
A* Seq: 0xC111C640 Ack: 0x50EBD161 Win: 0xFFFF TcpLen: 20
[ Xref => http://www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html ] [ Xref => http://cansecwest.com/slides07/csw07-nazario.pdf ]Thank You.
-
Then be sure you have the log output set to fast, not full.
-
jimp,
I have it n fast and I have nothing in my dash board.
Thanks.
-
Are you sure that you have single-line logs showing under the Alerts tab? The ones you pasted before are mutli-line and are the "full" entries, not "fast".
Also try unchecking "Associate blocked events" (or whatever that box is called)
-
I did notice about the logs been in full and not fast… A restart took care of the issue. Thanks jimp.
-
Please be patient.
I have added code to snort-dev to parse snort fast and full logs.
The parsing was not easy.I will add said code to the snort widget when I have time.
James