Snort blocked ips in reverse order
-
Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab
-
Snort package 3.0.6 is showing the blocked ips in referee order. Previous versions showed the newest on top, just like the alerts tab
I'm not seeing this on my test VM with a new install from this morning. I checked both the ALERTS tab and the Dashboard Widget, and they both showed the alerts in descending order (newest on top). Check the setting for the System Log display and see if "show events in reverse order" is checked.
Bill
-
Yes, the setting is checked. In the syslog newest entries are on top. In Snort the newest alerts are also on top in every interface, but in the blocked list the newest is the last one… This is a pfSense 2.1.2 i386 (updated from 2.1.1)
-
In my installations I see the Alerts tab showing the entries newest first.
When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.
If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.
-
@BBcan17:
In my installations I see the Alerts tab showing the entries newest first.
When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.
If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.
Ah…OK. I will look into that. The BLOCKED tab does some grouping by taking a blocked IP and then finding all the matching entries for that particular IP anywhere in the Alerts log file. So if IP address 1.2.3.4 has been blocked say 10 times in the last 3 days, when it gets blocked again, the BLOCKED tab will show all the previous 10 entries along with the current one. This assumes two things: (1) you have the blocks being automatically cleared on some interval, and (2) the alerts log has not been itself cleared out.
UPDATE: there is no sorting of the grouped IP data. That is, the code does not specifically sort by alert time when grouping IPs for display on the BLOCKED tab.
Bill
