Snort GUI wishlist


  • Banned

    In the Alerts tab when running multiple interfaces, it would be nice to have an ALL dropdown option since it would make searching for blocked hosts much easier if ALL interfaces were shown in the list.

    And when picked then between date and pri (priority) then "Interface" as a column.

    Either that or no dropdown at all defaulting to all interfaces in the alerts tab.


  • Moderator

    I don't think Bill will go for this lol….

    I think it would be better to look at Snorby or a Remote Syslog to get more advanced monitoring...
    But you never know what Bill has up his sleeves...

    :)



  • Adding another column to the current interface is a problem because there just is not enough horizontal space unless you automatically assume everyone uses the new widescreen theme in 2.2-BETA.  I don't think folks want columns that are only a tiny handful of characters wide.  They are already too narrow now in my opinion.

    Grabbing all the interface logs at once is also a challenge because the alerts for each interface are written to separate log files.  There is a separate log sub-directory for each configured Snort interface.  It would be a real challenge to not run out of PHP memory when trying to open, read and sort the separate log files into a single in-memory array for sorting by event times.

    As BBcan177 suggested, there are much better alternatives such as using Snorby or other similar log archiving tools for detailed analysis.  That's the whole point of integrating Barnyard2 into the Snort package.  Everything gets stuffed into either a MySQL database or a syslog repository where detailed and potentially computationally intensive analysis can be done offline from the firewall.

    Bill


  • Banned

    Hi Bill

    It was just something so removing blocked IP's easily and searching for them was systemwide and not only interface wide.



  • @Supermule:

    Hi Bill

    It was just something so removing blocked IP's easily and searching for them was systemwide and not only interface wide.

    On syslog server:
    zgrep 1.2.3.4 ./log_that_gets_suricata_alerts.log*
    (assuming in /var/log, and proper rotation of the logs)

    The searching can also be done on the snort2c table (diagnostics>table), but you don't get the reason for it being banned.

    I agree with bmeeks and BBcan177 here. If you are up to the point where you have multiple interfaces that have a gazillion IPs that need to be checked for the one IP to remove, then you are already at the point where you would benefit more by centralizing the logging and working on the offline copy.


  • Banned

    I just use CTRL+F in the alerts tab and type in the IP beeing banned.

    Just so I didnt have to do that on all interfaces that I am running.


  • Banned

    Can one implement this feature in the current Snort alerts log?

    It would make et very easy to sort alerts and filter them.



  • Moderator

    @Supermule:

    Can one implement this feature in the current Snort alerts log?

    This feature is already in the Snort Alerts Tab  ;)

    You should see the Sub-section "Alert Log Filter Options" and a button called "Show Filter"


  • Banned

    HAHAHAHAHAHAHAHAAHAHA fooking hell! :D

    I need glasses….............. HEEEEEEEEEEEELP! HAHAHAHA

    Sorry for the "noise" :D