Bug #10299
closed
Snort - Blocked Alert - Description loss -> Alert Description No Longer Available
Added by Diego Leon about 5 years ago.
Updated about 5 years ago.
Affected Architecture:
amd64
Description
Snort v 3.2.9.10
Package Dependencies:
snort-2.9.15 barnyard2-1.13_1
The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "
Files
Diego Leon wrote:
Snort v 3.2.9.10
Package Dependencies:
snort-2.9.15 barnyard2-1.13_1
The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "
This is not a bug. It is just a consequence of the alert log being rotated out (or manually cleared by the admin). The Description field on the BLOCKED tab scans the snort2c pf table to find currently blocked IP addresses (put there by Snort). In an attempt to add some metadata to the displayed blocked addresses, the PHP code reads the currently active alert log file to see if any of the currently blocked IPs show up with alerts. If found, the alert data from the matching IP addresses is used to build the Description. When the alert log is flushed or rotated due to exceeding the configured max size, the metadata for some blocked IP addresses is no longer there to be matched.
- Status changed from New to Not a Bug
Bill Meeks wrote:
Diego Leon wrote:
Snort v 3.2.9.10
Package Dependencies:
snort-2.9.15 barnyard2-1.13_1
The Snort first report in Blocked tab, show the IP Blocked and the respective Alert Descritions and Event Times data, but after some time, it lose the data and only show the message "Alert Description No Longer Available "
This is not a bug. It is just a consequence of the alert log being rotated out (or manually cleared by the admin). The Description field on the BLOCKED tab scans the snort2c pf table to find currently blocked IP addresses (put there by Snort). In an attempt to add some metadata to the displayed blocked addresses, the PHP code reads the currently active alert log file to see if any of the currently blocked IPs show up with alerts. If found, the alert data from the matching IP addresses is used to build the Description. When the alert log is flushed or rotated due to exceeding the configured max size, the metadata for some blocked IP addresses is no longer there to be matched.
Thanks Bill for your answer
I understand what do you say.. but think this problem is different.
As you see in the new attach image, in the blocked tab show data in the IP Column, but Alert Descriptions and Event Times Columns, show "Alert Description No Longer Available"
That mean snort2c have data (IP) but I don't know what happen with the Description.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
