Snort / Suricata Widget feature request
-
Hello BMeeks,
Is it possible to add the status (enabled/disabled) of the interfaces inside the Snort and/or Suricata widgets, so you can see all in one glance?
Thanks for all the great work!
-
Hello BMeeks,
Is it possible to add the status (enabled/disabled) of the interfaces inside the Snort and/or Suricata widgets, so you can see all in one glance?
Thanks for all the great work!
Well, anything is possible, but there is not much room inside the current widget box. Do you mean a row showing if Snort/Suricata is running or not on an interface? Sort of a summary view of what you get on the INTERFACES tab?
Bill
-
Yes, if you make one row with the green/red icons and the same tooltips as in the interfaces tab it wouldn't take up that much space and you can see the status of all interfaces at once. Mouseover would give you the name of the interface.
Otherwise we would need a new widget just showing the status… -
What could be really useful on the dashboard widget would be if an alias could monitored and shown up as red in the widget if blocked
I have a customer IP alias and I want to know if the customer is blocked and I want it shown easily on the dashboard before he calls and complains :D
Could it be made to work?
-
If you don't want this alias being blocked, why not add it to the passlist? There is a input box at the bottom to add a single "alias" entry.
-
Somehow it doesnt always work….dont know why :D
-
Yes, if you make one row with the green/red icons and the same tooltips as in the interfaces tab it wouldn't take up that much space and you can see the status of all interfaces at once. Mouseover would give you the name of the interface.
Otherwise we would need a new widget just showing the status…I think one row could work. I will put that on my TODO list of features. It won't make it into the next release, but will come later.
Bill
-
Somehow it doesnt always work….dont know why :D
It should always work unless the customer has a dynamic IP. If the IP can sometimes change, then an Alias is no good with Snort because it can't and shouldn't do real time lookups of name to IP.
Bill
-
@Bmeeks: Thanks and take your time! Better a good working result!
@SuperMule: The bigger question is: By what rule is your customer blocked. And can't it be solved at the customers side…
-
The customer has a fixed IP and it puzzles me as well.
Somehow it doesnt always work….dont know why :D
It should always work unless the customer has a dynamic IP. If the IP can sometimes change, then an Alias is no good with Snort because it can't and shouldn't do real time lookups of name to IP.
Bill
-
The customer has a fixed IP and it puzzles me as well.
Is the fixed IP address IPv4 or IPv6? And I assume the IP is confirmed to be in the PASS LIST for the interface. You can verify that by going to the INTERFACE SETTINGS tab for that interface and then clicking the "View List" button beside the PASS LIST drop-down. The IP address should be in there.
Do you have confirmed alerts with that customer's IP address in either SRC or DST where there was no block inserted? Might take correlating some dates and times to figure that out. I'm trying to determine if perhaps there is a problem with the binary patch that reads the processes the PASS LIST internal to the Snort binary. For example, it might be that the logic inside the binary is not always accurately matching the IP address with the PASS LIST and thus might insert a block when it was not supposed to.
Bill