Snort suppress or disable alerts not working
-
This post is deleted! -
Uninstalling the snort package and reinstalling seems to have fixed this
-
This indicates that for some reason you wound up with a duplicate Snort instance running on the interface. So you get two copies of Snort both running on the same interface at the same time. Unfortunately when this happens, the GUI loses control of one of the interfaces and so any changes you make get applied to one instance but not the other. Your alerts were continuing to come from that "other" instance. In the past I've referred to these as "zombie" processes, but technically I guess that's not completely accurate since they are running. Normally "zombie" means dead.
When you uninstall Snort, it runs a "kill all" command on any running Snort processes. That would have killed off the zombie process.
If you encounter this again, run the following command from a shell prompt on the firewall:
ps -ax | grep snort
You should see exactly one and only one Snort instance per configured interface. You will see the physical interface names displayed in the output. If you see more than one Snort instance on the same physical interface, then you have the "zombie" problem. You will need to kill the duplicate process.
-
@bmeeks Thanks for the reply, if I see this issue again I will definitely look for additional snort processes running.