Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort blocked ips in reverse order

    pfSense Packages
    3
    5
    803
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digdug3 last edited by

      Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @digdug3:

        Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab

        I'm not seeing this on my test VM with a new install from this morning.  I checked both the ALERTS tab and the Dashboard Widget, and they both showed the alerts in descending order (newest on top).  Check the setting for the System Log display and see if "show events in reverse order" is checked.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          digdug3 last edited by

          Yes, the setting is checked. In the syslog newest entries are on top. In Snort the newest alerts are also on top in every interface, but in the blocked list the newest is the last one… This is a pfSense 2.1.2 i386 (updated from 2.1.1)

          1 Reply Last reply Reply Quote 0
          • BBcan177
            BBcan177 Moderator last edited by

            In my installations I see the Alerts tab showing the entries newest first.

            When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.

            If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • bmeeks
              bmeeks last edited by

              @BBcan17:

              In my installations I see the Alerts tab showing the entries newest first.

              When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.

              If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.

              Ah…OK.  I will look into that.  The BLOCKED tab does some grouping by taking a blocked IP and then finding all the matching entries for that particular IP anywhere in the Alerts log file.  So if IP address 1.2.3.4 has been blocked say 10 times in the last 3 days, when it gets blocked again, the BLOCKED tab will show all the previous 10 entries along with the current one.  This assumes two things:  (1) you have the blocks being automatically cleared on some interval, and (2) the alerts log has not been itself cleared out.

              UPDATE:  there is no sorting of the grouped IP data.  That is, the code does not specifically sort by alert time when grouping IPs for display on the BLOCKED tab.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post