Bug in Snort Alerts Display - Calendar



  • Bill?

    Although the Dashboard Widget has been showing the latest alerts this past week, I took a look at the "Alerts" tab within Snort and there seems to be an issue with how alerts are being displayed… and its about to correct itself...

    Right now my log is set to the default 250 latest events.  It is now showing events from 12/31/2013 at the top of the log.  There a few events going back to the evening of 12/29/2013 then the events from this morning start and continue to populate back over the past few days until all 250 entries are filled.    So it looks like the Alerts display is only parsing the month/day and not the year for the latest events display?  No big deal to me... the data I wanted to see is there and as soon as about 30 more entries hit the log this issue will be moot but thought someone might want to look at it before next new years event.

    Rick



  • @Ramosel:

    Bill?

    Although the Dashboard Widget has been showing the latest alerts this past week, I took a look at the "Alerts" tab within Snort and there seems to be an issue with how alerts are being displayed… and its about to correct itself...

    Right now my log is set to the default 250 latest events.  It is now showing events from 12/31/2013 at the top of the log.  There a few events going back to the evening of 12/29/2013 then the events from this morning start and continue to populate back over the past few days until all 250 entries are filled.    So it looks like the Alerts display is only parsing the month/day and not the year for the latest events display?  No big deal to me... the data I wanted to see is there and as soon as about 30 more entries hit the log this issue will be moot but thought someone might want to look at it before next new years event.

    Rick

    This has been fixed with an "unannounced" minor update I pushed the day after New Years.  Just reinstall the Snort package GUI and it should be OK.  The change was so minor that I did not bump the Snort package version.

    To reinstall, go to System…Packages and the Installed Packages tab.  Click the XML icon beside the Snort entry to reinstall the GUI components.  Check and be sure you have clicked "save settings on de-install" on the Global Settings tab first to preserve your configuration.

    Bill



  • @Ramosel:

    Bill?

    Right now my log is set to the default 250 latest events.  It is now showing events from 12/31/2013 at the top of the log.  There a few events going back to the evening of 12/29/2013 then the events from this morning start and continue to populate back over the past few days until all 250 entries are filled.    So it looks like the Alerts display is only parsing the month/day and not the year for the latest events display?  No big deal to me… the data I wanted to see is there and as soon as about 30 more entries hit the log this issue will be moot but thought someone might want to look at it before next new years event.

    Rick

    I'm experiencing the same (date) problem with Snort and this is the exact reason i came to the forums (to find answers).

    I was checking my Snort Alerts and i was wondering if it had stopped working because "12/31/13 Logs" are stuck on the top of the alerts page and i wasn't seeing any new Alerts in the last 7 days but after reading your post i realize the Alerts logs are actually being displayed at the bottom of the page (Oversight). My Alerts are configured to show (250) new alerts at the top btw.

    Will try update snort as @bmeeks suggested

    Thanks



  • @humps:

    @Ramosel:

    Bill?

    Right now my log is set to the default 250 latest events.  It is now showing events from 12/31/2013 at the top of the log.  There a few events going back to the evening of 12/29/2013 then the events from this morning start and continue to populate back over the past few days until all 250 entries are filled.    So it looks like the Alerts display is only parsing the month/day and not the year for the latest events display?  No big deal to me… the data I wanted to see is there and as soon as about 30 more entries hit the log this issue will be moot but thought someone might want to look at it before next new years event.

    Rick

    I'm experiencing the same (date) problem with Snort and this is the exact reason i came to the forums (to find answers).

    I was checking my Snort logs and i was wondering if it had stopped working because "12/31/13 Logs" are stuck on the top of the alerts page and i wasn't seeing any new notifications in the last 7 days but after reading your post i realize the logs are actually being displayed at the bottom of the page (Oversight). My Alerts are configured to show (250) new alerts at the top btw.

    Will try update snort as @bmeeks suggested

    Thanks

    The update should square things up.  There was a problem with the way Snort itself formulates timestamps that caused a sorting anomaly.  Internally the Snort binary writes the timestamps in MM/DD/YY form.  That format will not sort correctly.  I changed the code to do some internal magic so it could pull out the year and then the month for sorting.

    Bill



  • @bmeeks:

    This has been fixed with an "unannounced" minor update I pushed the day after New Years.  Just reinstall the Snort package GUI and it should be OK.  The change was so minor that I did not bump the Snort package version.

    To reinstall, go to System…Packages and the Installed Packages tab.  Click the XML icon beside the Snort entry to reinstall the GUI components.  Check and be sure you have clicked "save settings on de-install" on the Global Settings tab first to preserve your configuration.

    Done and done… thank you  Bill for the quick response, that was it.

    We know what you meant, but for those following, the (current) actual heading under Global Settings/General Settings is:  Keep Snort Settings after Deinstall

    Rick


Log in to reply