Dashboard Snort Alert Not Working.

serialdie

The Dashboard Snort widget does not work for me in embedded 1.2.3
Is any body using it and is working for them?

TIA!

jimp

If you have the checkbox set to turn snort alerts into clickable links, you don't get the short-format logs that the widget parser needs.

That was the issue last time I reinstalled the package, anyhow.

simby

I have the same problem,… fresh install and snort is working, no alert and no blocked ip (i have try with grc.com).

What is the problem,... what can i do to fix this?

serialdie

@jimp:

If you have the checkbox set to turn snort alerts into clickable links, you don't get the short-format logs that the widget parser needs.

That was the issue last time I reinstalled the package, anyhow.

jimp,

No I dont have that enable I am just simply not getting alerts…. The alerts are been generated in the alerts tab but not going to the dash board...
I have fast loging enable and here is an example of the alerts...

[ ** ] [ 1:15362:1 ] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [ ** ] 
[ Classification: Misc activity ] [ Priority: 3 ] 
12/24-23:14:14.289579 69.64.6.21:80 -> 98.194.134.87:10714
TCP TTL:50 TOS:0x20 ID:42160 IpLen:20 DgmLen:1500 DF
A* Seq: 0xC111C640 Ack: 0x50EBD161 Win: 0xFFFF TcpLen: 20
[ Xref => http://www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html ] [ Xref => http://cansecwest.com/slides07/csw07-nazario.pdf ]

Thank You.

jimp

Then be sure you have the log output set to fast, not full.

serialdie

jimp,

I have it n fast and I have nothing in my dash board.

Thanks.

jimp

Are you sure that you have single-line logs showing under the Alerts tab? The ones you pasted before are mutli-line and are the "full" entries, not "fast".

Also try unchecking "Associate blocked events" (or whatever that box is called)

serialdie

I did notice about the logs been in full and not fast… A restart took care of the issue. Thanks jimp.

jamesdean

Please be patient.

I have added code to snort-dev to parse snort fast and full logs.
The parsing was not easy.

I will add said code to the snort widget when I have time.

James