Firewall logs (GUI) still not right?
-
G'day ;D
I looked in the open issues in redmine, but in this 15 open issues there is nothing about firewall logs not displaying the right thing.
We've had these problems in 2.1 (and I think 2.0 too), and then it was said in 2.2 this would all be solved because of using a different 'engine' (or something like that, I forgot, anyway: some other way of programming I believe it was).
However, I am on the jan 9 snapshot (and before that on the jan 8 snapshot, and before that on the jan 7 snapshot ;D ), and the issue has been been here all these days as it was in 2.1.5.
The issue is: the firewall rules description is incorrect as per the attached screenshots:
-
Block 1: that is an IPv6 broadcast block on an IPv4 VLAN showing on interface LAN and the description is incorrect (see pic2 for that fw rule). The rule accidently even was disabled, btw, I noticed when I wanted to make a screenshot to attach to this post.
-
Block 2: this too is showing on LAN, saying it is from the OpenVPN interface (client to PIA), and it is blocking an adress supposedly in an alias of mine I created based on Snort reports. That alias however contains only 2 IP-ranges, and the blocked IP is not in it (pic3);
-
Block 3: never saw that before. Snort2c is the general Snort block table if I am correct, but on no interface has Snort been told to send alerts to the system log. And: that blocked IP (the same as in Block 2, btw), wasn't in the IP's Snort blocked (in the Snort interface).
So the very same problem that bugged in 2.1.x is still here, making the firewall logs rather useless and making problem solving a royal pain in my big b*tt ( ;D )
-
-
Pretty sure your issues will go away as soon as you've uninstalled Snort, no matter if it's 2.1.5 or 2.2-RC
-
This be all three Snort related? :o
But the first rule not(?)
-
One more :)
-
The tracker IDs for user rules are constant however some automatically generated rules may have tracker IDs that don't line up. This usually isn't a problem for current logs, but can be for old logs. And then it's typically only a problem if interfaces or similar items have been added/removed that caused the internal tracker IDs to shift. User-entered rule tracker IDs will never change, though, as they are stored as part of the rule.
Usually when I see this it's from old log entries as I've been messing around reconfiguring VMs.
-
Pretty sure your issues will go away as soon as you've uninstalled Snort, no matter if it's 2.1.5 or 2.2-RC
Snort should have no bearing at all on the OP's reported issue. Snort does not fiddle with firewall rules in any way.
Bill