Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description
-
Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,
In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.
I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'
Chowtamah,
Actually you can apply the patch from a terminal session. For this I've attached snort_blocked_patch.txt. To test that the patch is successful run:
patch -C -p0 -i snort_blocked_patch.txtIf no errors are output, perform the actual patch:
patch -p0 -i snort_blocked_patch.txtI am happy to hear that this is working for most.
Thanks
-
I merged your regex into the 2.3.0 so please test if it fixes.
-
It seems like the Alert Descriptions changed from N/A to nothing. Also I'm now unable to save my suppression list. It just returns to the same form with no input in any of the fields.
-
Can you put from different people small part of your alert files?
They are in /var/log/snort* -
Thanks to 10101000, Fesoj and ermal for all your efforts.
I will test snort 2.3.0 and raise issues in cino's thread.
-
Alert Descriptions are shown on the alerts page, but not on blocked.
From /var/log/snort/snort_em033213/alert
[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.360499 MYIP:47603 -> 204.9.163.247:80 TCP TTL:50 TOS:0x0 ID:31437 IpLen:20 DgmLen:542 DF ***A**** Seq: 0x26B83575 Ack: 0x7AAE8D12 Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.597973 MYIP:14580 -> 78.141.177.158:80 TCP TTL:52 TOS:0x0 ID:13728 IpLen:20 DgmLen:538 DF ***AP*** Seq: 0xB70BDB31 Ack: 0x989F230F Win: 0x1FFE TcpLen: 20 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2002157:10] ET POLICY Skype User-Agent detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 07/10-05:26:57.747503 MYIP:62744 -> 92.122.50.146:80 TCP TTL:55 TOS:0x0 ID:57600 IpLen:20 DgmLen:570 DF ***A**** Seq: 0x9C4E1C36 Ack: 0x4B26A476 Win: 0x3CC0 TcpLen: 32 [Xref => http://doc.emergingthreats.net/2002157] [**] [1:2406417:287] ET RBN Known Russian Business Network IP UDP (209) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:01.426947 46.21.146.190:51413 -> MYIP:64284 UDP TTL:52 TOS:0x0 ID:0 IpLen:20 DgmLen:58 DF Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2406823:287] ET RBN Known Russian Business Network IP UDP (412) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:27:14.971087 89.248.163.5:53340 -> MYIP:60685 UDP TTL:117 TOS:0x0 ID:6851 IpLen:20 DgmLen:58 Len: 30 [Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork] [**] [1:2520104:1165] ET TOR Known Tor Exit Node TCP Traffic (53) [**] [Classification: Misc Attack] [Priority: 2] 07/10-05:28:31.199256 77.247.181.165:50103 -> MYIP:64284 TCP TTL:50 TOS:0x0 ID:48027 IpLen:20 DgmLen:52 DF ******S* Seq: 0x85AA7429 Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 10 [Xref => http://doc.emergingthreats.net/bin/view/Main/TorRules] -
Alert Descriptions are shown on the alerts page, but not on blocked.
ditto.
Nevertheless, with some emerging threats rules enabled, my pfsense system is snorting (snort 2.9.2.3 pkg v. 2.3.0).
-
Thanks Ermal,
I presume that those with blank alerts have enabled FULL alert descriptions. The only problem that I can find at first glance is that "$pconfig['snortalertlogtype']" is not declared. This patch solves the problem.
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-10 23:01:18.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-10 23:27:11.000000000 -0600 @@ -38,6 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500';Sincerely,
10101000
-
What is the fix to get Alert Descriptions to properly display on the BLOCKED tab? ALERTS tab is populated, but BLOCKED tab should be showing an Alert Description adjacent to each blocked IP vs blank or NA.
-
Hi Miles, this time the problem is a simple typo. This should restore the blocked alert descriptions (for version 2.4.2):
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-12 14:38:45.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-12 14:43:41.000000000 -0600 @@ -38,7 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500'; -
Hi Miles, this time the problem is a simple typo. This should restore the blocked alert descriptions (for version 2.4.2):
--- /usr/local/www/snort/snort_blocked.php.broken 2012-07-12 14:38:45.000000000 -0600 +++ /usr/local/www/snort/snort_blocked.php 2012-07-12 14:43:41.000000000 -0600 @@ -38,7 +38,7 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (empty($pconfig['blertnumber'])) $bnentries = '500';Thank you for the patch. I've just applied and returned to Snort > BLOCKED tab and the Alert Descriptions are still missing from previously existing blocked IPs (prior to me applying the patch). Is this normal? Will alert descriptions only be available for net new blocked IPs?
-
Actually the snort blocked tab pulls the alert descriptions from matching entries inside the alerts log. If the alerts log has been cleared after an IP had been initially blocked (like upon package upgrade), this is why you don't see any alert descriptions. I would suggest using an online firewall test like GRC ShieldsUP to verify that newly blocked entries display the alert description.
-
10101000, I apologize - was an error on my part. I installed the System Patches package and copied your fix but failed to APPLY it :-) Since I've applied the fix and run the GR Shields Up test, the alert descriptions have been restored. Thanks again!
Is there any chance they will incorporate your fix into the snort package?
-
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly. -
@ermal:
Please reinstall again!
You need a new snort binary for the alerts to be displayed correctly.OK - since removing and reinstalling the latest snort package, the alert descriptions have returned to being N/A. Doesn't appear 10101000's patch has been included within the latest binary unfortunately. I suppose I can try to reapply his patch once more. Could you please correct this blank/NA alert description functionality for Blocked IPs in the next build? Thanks.
EDIT: I attempted to apply his latest system patch and it doesn't qualify to be applied.