Suricata Block List does not = snort2c Table? Why not?
-
My snort2c table contains 19,465 entries, however my suricata blocked hosts lists now only contains 15 entries. What's going on here?
-
To clarify:
Under the Blocks Tab in suricata, if I put in say 20,000 entries to be shown it populates a few hundred and at the bottom of the page says
320 host IP addresses are currently being blocked.
If I go to diagnostics - Tables and open the snort2c table, it loads 19k+ entries (including the ones that show up on the suricata Blocks tab.
If I download the Blocked Hosts List from the suricata Block tab, it downloads the snort2c table with 19k+ entries in it.
This did not behave like this before, it has always shown all of the entries from my snort2c table in the Block tab, it just started doing this a couple days ago I think?
-
Sounds like perhaps a bug in "tailing" the blocked hosts file. The BLOCKS tab simply does a "tail" on the blocked hosts file and shows the result in the table on the tab. Note that one difference could also be the way the BLOCKS tab sorts and groups events. It will group events for the same IP address (host) under a common single table entry. The raw blocked hosts file and the snort2c table will contain one line for each event per host. So the line counts will not usually line up between those files and the BLOCKS tab unless you only have one event per host.
There still may be a "tail" issue in the PHP code for the BLOCKS tab. I will need to investigate it further. Been a long time since that code was toyed with, though.
Bill
-
Cool, thanks! I'm using 2.4, so it might be something going on there?
