Project

General

Profile

Actions
Copy link

Bug #10299

closed

Snort - Blocked Alert - Description loss -> Alert Description No Longer Available

Added by Diego Leon about 4 years ago. Updated about 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
02/27/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

Snort v 3.2.9.10

Package Dependencies:
snort-2.9.15  barnyard2-1.13_1

The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "

Files

Download all files
Blocked-issues.png (10.6 KB) Blocked-issues.png Diego Leon, 02/27/2020 10:18 AM
Blocked-issues.png (48 KB) Blocked-issues.png Diego Leon, 02/27/2020 02:26 PM
Actions
Copy link
 #1

Updated by Bill Meeks about 4 years ago

Diego Leon wrote:

Snort v 3.2.9.10

Package Dependencies:
snort-2.9.15  barnyard2-1.13_1

The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "

This is not a bug. It is just a consequence of the alert log being rotated out (or manually cleared by the admin). The Description field on the BLOCKED tab scans the snort2c pf table to find currently blocked IP addresses (put there by Snort). In an attempt to add some metadata to the displayed blocked addresses, the PHP code reads the currently active alert log file to see if any of the currently blocked IPs show up with alerts. If found, the alert data from the matching IP addresses is used to build the Description. When the alert log is flushed or rotated due to exceeding the configured max size, the metadata for some blocked IP addresses is no longer there to be matched.

Actions
Copy link
 #2

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Not a Bug
Actions
Copy link
 #3

Updated by Diego Leon about 4 years ago

Bill Meeks wrote:

Diego Leon wrote:

Snort v 3.2.9.10

Package Dependencies:
snort-2.9.15  barnyard2-1.13_1

The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "

This is not a bug. It is just a consequence of the alert log being rotated out (or manually cleared by the admin). The Description field on the BLOCKED tab scans the snort2c pf table to find currently blocked IP addresses (put there by Snort). In an attempt to add some metadata to the displayed blocked addresses, the PHP code reads the currently active alert log file to see if any of the currently blocked IPs show up with alerts. If found, the alert data from the matching IP addresses is used to build the Description. When the alert log is flushed or rotated due to exceeding the configured max size, the metadata for some blocked IP addresses is no longer there to be matched.

Thanks Bill for your answer

I understand what do you say.. but think this problem is different.
As you see in the new attach image, in the blocked tab show data in the IP Column, but Alert Descriptions and Event Times Columns, show "Alert Description No Longer Available"
That mean snort2c have data (IP) but I don't know what happen with the Description.

Actions
Copy link

Also available in: Atom PDF