Odd SNORT Block Entries
-
Ever since I upgraded I usually get block alerts with why they were blocked. I now have a ton of entries just showing "N/A". Anyone run into this or know why these are showing no info?
-
Hi ghostshell,
If you "Cleared" the Events in the Alerts Tab, those cleared entries will show as "N/A" in the Blocked Tab, until you clear the "Blocked Tab".
-
BBcan177 is correct. The BLOCKS tab simply grabs the blocked IPs from the <snort2c>table for display. There is no information available from that table other than the IP. In an attempt to provide a little more information, the code goes to the alerts log file for each Snort interface and tries to find those IP addresses. For each match, it pulls some data from the alerts log to display on the BLOCKS tab (the time of the event and the message, for example). If the alerts log has been cleared out, then when the BLOCKS tab code tries to look up the IP addresses it can't find them.
Bill</snort2c>
-
Thanks Guys!