Snort 2.9.7.0 v 3.2.2 shows N/A

PfChris

Hi everybody,

I upgraded my Snort from 2.9.7.0 v 3.2.1 to 2.9.7.0 v 3.2.2.
It seems to work fine but blocks Hosts and shows N/A as reason.

Has anyone else seen this Problem?

Reinstalling and Removing / installing has not worked.

The first 189 Blocked "Hosts" show Reasons, the Rest is N/A

godtor

Same problem here with same snort version.

BBcan177

See the following thread.. what you are seeing is normal. Just clear out the alerts/blocks and start fresh.

https://forum.pfsense.org/index.php?topic=85049.msg466663#msg466663

bmeeks

@PfChris:

Hi everybody,

I upgraded my Snort from 2.9.7.0 v 3.2.1 to 2.9.7.0 v 3.2.2.
It seems to work fine but blocks Hosts and shows N/A as reason.

Has anyone else seen this Problem?

Reinstalling and Removing / installing has not worked.

The first 189 Blocked "Hosts" show Reasons, the Rest is N/A

As BBcan177 linked, this issue has been discussed before.  It's just the way the package works.  The BLOCKS tab "reason" field is populated from the active alerts log file.  If that file is cleared out and/or rotated, then the BLOCKS tab "reason" field will populate with "N/A" for all IP addresses in the packet filter table that do not have one or more matching IP entries in the alerts log.

Bill

PfChris

I stopped Snort, cleared the Alerts, cleared the blocked - started snort.

Works fine for the first 150 entry’s then N/A appears again…

bmeeks

@PfChris:

I stopped Snort, cleared the Alerts, cleared the blocked - started snort.

Works fine for the first 150 entry’s then N/A appears again…

Do you have auto-logs management enabled on the LOGS MGMT tab?  If so, what settings are in place for the alert log?  As I described above, the "N/A" designation only displays when the PHP code building the BLOCKS tab can't find the blocked IP in the currently active alert log file.  To keep the GUI responsive, the code only searches the active alert log for the IP.  It will not go searching through all the rotated and archived log files.  Doing so could take a long time and freeze the GUI while it searched.

Many folks, for some reason, insist on never clearing the Snort block table in the packet filter (the <snort2c>table).  So it will fill up with IPs over time, but during that same time interval the alert log file may get to the configured size limit and rotate.  At that point, you will have IPs still in the block table that are no longer in the active alert log file, and that will produce the "N/A" display.  It simply means the alert information is "not available" or "no longer available".

If you want long-term storage of Snort alerts, you should use Barnyard2 and pipe them to a separate repository like Snorby or ELK.

Bill</snort2c>

PfChris

Hi bmeeks,

i had "auto management" on and the Alerts File set to 500KB.

Changed it to 50MB and will now check if the "problem" occurs again.

Besides the "N/A" - does it work like it should?
If the N/A is only a "cosmetic" thing then i don't mind at all - as long as snort is working properly

Thank you for your help

bmeeks

@PfChris:

Hi bmeeks,

i had "auto management" on and the Alerts File set to 500KB.

Changed it to 50MB and will now check if the "problem" occurs again.

Besides the "N/A" - does it work like it should?
If the N/A is only a "cosmetic" thing then i don't mind at all - as long as snort is working properly

Thank you for your help

Most assuredly it works.  The "N/A" is purely cosmetic.  The blocked IP is in the blocking alias table (the <snort2c>table) or else it would not show up on the BLOCKED tab.  As I described above, the "N/A" simply means the alert log got rotated and so the GUI can't find the old alert description to display.  It does not mean the block is invalid or anything.  It just means the GUI code can't find the old rule description to show you (since it got rotated with the older alert log file).

Bill</snort2c>