snort blocked link alert
-
Hello,
can I edit the blocked page in snort so I can add a link to the items in it that is linked to related record in alerts ?
thanks. -
Well, if you can code in PHP, you can give it a try. The two files are
/usr/local/www/snort/snort_alerts.phpand/usr/local/www/snort/snort_blocked.php.Any changes you make will be overwritten the next time you update the Snort package. Also be aware that what you want to do is not a trivial task.
The BLOCKED tab gives you time and date of the alert (and there can very well be several alerts related to a single IP). You can find the alert that caused a block quite easily on the ALERTS tab by sorting that page by the Date column. Simpy click the Date column header to sort.
-
where is the function that is import the alert to blocked page ?
-
There is no single function. The entire bottom half of the BLOCKED page code is dedicated to reading the alert log, parsing the results and then displaying them on the web page.
What you want to do will require rewriting large parts of the ALERTS tab code as well. The code currently saves no sort of "ID" that uniquely identifies each alert entry in the log, so creating a URL link from the BLOCKED tab to the ALERTS tab is not feasible without also rewriting the ALERTS tab code.
