Snort on 2.3 not showing all blocked IPs



  • Just noticed this after upgrading today.  The blocked tab which normally shows many blocked IPs was only showing one IP.  Upon removing that blocked IP with the X option, a new IP showed up on the list but only that one.  Going through the same process of removing it showed a new one.  And so on.  After clearing about 8 blocked IPs one at a time, the interface finally showed that there were no more blocked IPs.  Looks like the update has a bug for displaying all of the blocked IPs at once.

    LoboTiger



  • That sounds strange.  All that page does is pull the list of blocked IPs directly from the pf snort2c table and display them.  I made a change to the auto-refresh code with the last update.  Perhaps that is hosed.  Have you tried leaving the BLOCKS tab and coming back to it?  This will force a refresh.

    Bill



  • i also have similar issue but slightly different  and i also reported in 2.3RC thread  which was removed /hidden now

    1. After upgrading to 2.3RC i had issue with snort updating behind squid , but after updating firewall squid proxy block rule, snort was updating

    2. Snort was not showing blocked IP , but it showing in download Blocked IP list  but not on Block tab

    3. Now new issue i faced is snort is running ,updating  also showing alerts but snort is not doing IP Block for the alerts , i tried uninstalling fully by unticking save settings so after reinstall i get Clean snort install  BUT after reinstall it still have all my settings

    So i am planning to do full  Fresh install this weekend sadly

    –-

    edit

    now i am getting frequent alert on my desktop PC's saying a network alert from 192.168.x.x is blocked








  • I experience the same problem on my upgraded 2.3 (2.2.6 -> 2.3). Snort blocks all the IPs, but only one IP is shown under the Blocked tab. But if you download the blocked IP list, you can actually see that far more IPs are blocked.

    edit: Nevermind, setting a new value of blocked entries to view and hitting "save" actually resolves the issue, now all blocked IPs are shown.



  • updated the second post with PIC , just now i am getting alert on desktop pc saying network alert was blocked by Kaspersky



  • @Creep89:

    I experience the same problem on my upgraded 2.3 (2.2.6 -> 2.3). Snort blocks all the IPs, but only one IP is shown under the Blocked tab. But if you download the blocked IP list, you can actually see that far more IPs are blocked.

    edit: Nevermind, setting a new value of blocked entries to view and hitting "save" actually resolves the issue, now all blocked IPs are shown.

    Confirmed.  I just put in a value of 500 to show and clicked save and then all of the blocked IPs are now showing up.  Browsed to another tab and came back to the blocked tab and all those IPs are still showing.  Thanks for the tip!

    I guess there's some odd behaviour either from doing the upgrade to 2.3 or maybe something else that doesn't retain the default of displaying 500 entries?

    LoboTiger



  • @Creep89:

    I experience the same problem on my upgraded 2.3 (2.2.6 -> 2.3). Snort blocks all the IPs, but only one IP is shown under the Blocked tab. But if you download the blocked IP list, you can actually see that far more IPs are blocked.

    edit: Nevermind, setting a new value of blocked entries to view and hitting "save" actually resolves the issue, now all blocked IPs are shown.

    Ah-ha!  Thanks for posting the solution.  This is an artifact of some Bootstrap fixes.  That value is not being initialized properly.  I will take care of it in the next Snort package update.  I am working on Suricata now, but hope to finish it up today.

    Bill