Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort / Suricata Widget feature request

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digdug3
      last edited by

      Hello BMeeks,

      Is it possible to add the status (enabled/disabled) of the interfaces inside the Snort and/or Suricata widgets, so you can see all in one glance?

      Thanks for all the great work!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @digdug3:

        Hello BMeeks,

        Is it possible to add the status (enabled/disabled) of the interfaces inside the Snort and/or Suricata widgets, so you can see all in one glance?

        Thanks for all the great work!

        Well, anything is possible, but there is not much room inside the current widget box.  Do you mean a row showing if Snort/Suricata is running or not on an interface?  Sort of a summary view of what you get on the INTERFACES tab?

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          digdug3
          last edited by

          Yes, if you make one row with the green/red icons and the same tooltips as in the interfaces tab it wouldn't take up that much space and you can see the status of all interfaces at once. Mouseover would give you the name of the interface.
          Otherwise we would need a new widget just showing the status…

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            What could be really useful on the dashboard widget would be if an alias could monitored and shown up as red in the widget if blocked

            I have a customer IP alias and I want to know if the customer is blocked and I want it shown easily on the dashboard before he calls and complains :D

            Could it be made to work?

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              If you don't want this alias being blocked, why not add it to the passlist? There is a input box at the bottom to add a single "alias" entry.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                Somehow it doesnt always work….dont know why :D

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @digdug3:

                  Yes, if you make one row with the green/red icons and the same tooltips as in the interfaces tab it wouldn't take up that much space and you can see the status of all interfaces at once. Mouseover would give you the name of the interface.
                  Otherwise we would need a new widget just showing the status…

                  I think one row could work.  I will put that on my TODO list of features.  It won't make it into the next release, but will come later.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @Supermule:

                    Somehow it doesnt always work….dont know why :D

                    It should always work unless the customer has a dynamic IP.  If the IP can sometimes change, then an Alias is no good with Snort because it can't and shouldn't do real time lookups of name to IP.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • D
                      digdug3
                      last edited by

                      @Bmeeks: Thanks and take your time! Better a good working result!

                      @SuperMule: The bigger question is: By what rule is your customer blocked. And can't it be solved at the customers side…

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        The customer has a fixed IP and it puzzles me as well.

                        @bmeeks:

                        @Supermule:

                        Somehow it doesnt always work….dont know why :D

                        It should always work unless the customer has a dynamic IP.  If the IP can sometimes change, then an Alias is no good with Snort because it can't and shouldn't do real time lookups of name to IP.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @Supermule:

                          The customer has a fixed IP and it puzzles me as well.

                          Is the fixed IP address IPv4 or IPv6?  And I assume the IP is confirmed to be in the PASS LIST for the interface.  You can verify that by going to the INTERFACE SETTINGS tab for that interface and then clicking the "View List" button beside the PASS LIST drop-down.  The IP address should be in there.

                          Do you have confirmed alerts with that customer's IP address in either SRC or DST where there was no block inserted?  Might take correlating some dates and times to figure that out.  I'm trying to determine if perhaps there is a problem with the binary patch that reads the processes the PASS LIST internal to the Snort binary.  For example, it might be that the logic inside the binary is not always accurately matching the IP address with the PASS LIST and thus might insert a block when it was not supposed to.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.