No Alert Explanation in Snort
-
I am new to snort but it seems to be blocking some IPs that I need and I cannot figure out why. I have attached two screenshots. One shows the blocked IPs with N/A for the explanation. The other shows that snort does not record any alerts. Any ideas?
-
What is the "clear blocked hosts interval" set for? Is it "NEVER" perhaps?
The only time you can have what you see is when the Alert log has been cleared but not the blocked hosts table. The BLOCKS screen reads old alerts from the ALERTS tab to find the descriptions to show for the blocked IPs. The only thing stored in the pfSense <snort2c>table is the IP address of a blocked host. The packet filter does not store "why" it blocked a host – just the IP that was blocked gets stored. When Snort displays blocked hosts on the BLOCKED tab, it is simply displaying the IP addresses read from the packet filter's <snort2c>table. It then tries to find those same IP addresses in the alerts log so it can grab the matching description strings to show why it was blocked (and the time). So if the alert log is empty, then the GUI shows "N/A" for the block reason because it has no way to find out what the reason was.
Bill</snort2c></snort2c>
-
Maybe I have a log file problem. I do have it set to never but I have been clearing it regularity. I am able to clear blocked IPs, check back 30 minutes later and have the results I've posted (i.e. blocked IPs but no reasons why and no alerts._
-
You should see a text log file in /var/log/snort/{snort_interface} where {snort_interface} is an unique directory name composed of your physical NIC name and a UUID. The file will be called alert.
What do you see when you view the ALERTS tab? You should be seeing alerts there matching up with the blocks on the BLOCKED tab.
Bill
-
Look at the two attachments from my original post. I get locked out IPs with "NA" as description while the Alerts page is completely blank. I need to get back to the router and I will see if there's a file in the path that you mentioned in you post
-
I see the two files listed in my snort's WAN port directory (/var/log/snort/snort_igb061418). I tried downloading the file but it does not appear to be a text file.
$ ls /var/log/snort/snort_igb061418
barnyard2
snort_61418_igb0.u2.1430695189
-
No, those are not the files. The one with "u2" in the name is a Barnyard2 Unified Log file. Those are binary. The filename should be "alert". Try stopping and restarting Snort.
Bill
