Snort Block List Displays only 1 Blocked Host
-
I'm not sure if I discovered a new bug or not. But, I've noticed that the display on the Services/Snort/Blocked Hosts page in the 2.3.1 Dev release using the latest version of snort is not showing more than 1 blocked host at a time. This was driving me nuts because I was trying to correlate Alerts to blocked hosts, and noticed the blocked hosts weren't growing.
About an hour later I manually cleared the blocked hosts by clicking the red X and noticed that with each click it will run through each host on the block list, only showing "1 host IP address is currently being blocked by snort, when in reality there are A LOT more"
Attached is a photo showing just the 1 host despite there being about 4-5 in the list after a quick "clear" of the block list.
-
OK I think I found the issue or something related to it.
in snort_blocked.php
There's a series of if statements starting on line 49 and ending on line 55. These if statementsspecifies rows displayed by default or by user spec. However the if statement on line 49 changes the same bnentries variable from a numerical value to "on" which, unless I'm missing something, doesn't make much sense. At any rate, I modified the "on" to be "500" and it is showing each blocked IP. I haven't taken a look at the rest of the code, but the page itself refreshes with refresh on by "Deault" (Typo on the page, not mine)
if (empty($pconfig['blertnumber'])) $bnentries = '500'; else $bnentries = $pconfig['blertnumber']; if (empty($pconfig['brefresh'])) $bnentries = 'on';
-
The issue is known, see https://forum.pfsense.org/index.php?topic=109902.msg612163#msg612163 for more information.
-
This will be fixed in the next Snort update, which should be out soon. Just finished fixing a list of Suricata issues, so now my slate is clean and ready for me to tackle the reported Snort bugs.
Sorry for all the little issues, but the conversion to Bootstrap for pfSense 2.3 was a big chore and lots of little errors crept in.
Bill