3. Snort blocked ips in reverse order

Snort blocked ips in reverse order

  • D

    Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab

    0

  • @digdug3:

    Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab

    I'm not seeing this on my test VM with a new install from this morning.  I checked both the ALERTS tab and the Dashboard Widget, and they both showed the alerts in descending order (newest on top).  Check the setting for the System Log display and see if "show events in reverse order" is checked.

    Bill

    0
  • D

    Yes, the setting is checked. In the syslog newest entries are on top. In Snort the newest alerts are also on top in every interface, but in the blocked list the newest is the last one… This is a pfSense 2.1.2 i386 (updated from 2.1.1)

    0
  • Moderator

    In my installations I see the Alerts tab showing the entries newest first.

    When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.

    If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.

    0

  • @BBcan17:

    In my installations I see the Alerts tab showing the entries newest first.

    When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.

    If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.

    Ah…OK.  I will look into that.  The BLOCKED tab does some grouping by taking a blocked IP and then finding all the matching entries for that particular IP anywhere in the Alerts log file.  So if IP address 1.2.3.4 has been blocked say 10 times in the last 3 days, when it gets blocked again, the BLOCKED tab will show all the previous 10 entries along with the current one.  This assumes two things:  (1) you have the blocks being automatically cleared on some interval, and (2) the alerts log has not been itself cleared out.

    UPDATE:  there is no sorting of the grouped IP data.  That is, the code does not specifically sort by alert time when grouping IPs for display on the BLOCKED tab.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy