Project

General

Profile

Actions

Bug #10326

closed

Snort - Blocked Alert - Show IP but Description loss -> "Alert Description No Longer Available"

Added by Diego Leon about 4 years ago. Updated about 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
03/09/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

Snort v 3.2.9.10

Package Dependencies:
snort-2.9.15  barnyard2-1.13_1

In the blocked tab show data in the IP Column, but Alert Descriptions and Event Times Columns, after some time, it lose the data and only show the message show "Alert Description No Longer Available"

As see in the attach image.

That mean snort2c have data (IP) but I don't know what happen with the Description.

Thanks


Files

Blocked-issues.png (48 KB) Blocked-issues.png Diego Leon, 03/09/2020 11:53 AM
Actions #1

Updated by Bill Meeks about 4 years ago

This is not a bug. It's caused by the alert log file getting purged by either getting rotated as part of the periodic logs management tasks (when enabled) or else the alerts were manually cleared by the user.

The BLOCKS tab scans the snort2c table to see what IP addresses are currently being blocked and then displays them. In an attempt to add some context metadata to the listed blocks, the code will check the currently active alerts log to see if any of the IP addresses have records in the alerts log. If they do, some info is pulled from the alerts log for display. If not, then the BLOCKS tab shows "not available" for this metadata.

The typical use case is for the "Remove Blocked Hosts" setting on the GLOBAL SETTINGS tab to be configured for a relatively short interval (an hour is good). With that setup, the alerts log is not likely to get rotated and purged while an IP is being actively blocked. If the user chooses to never clear Snort blocks or has the automatic removal interval set way out there, then it is possible the alerts log will get purged before the blocked IP is removed.

There is no reason to persist blocks for long periods. One hour is more than enough. If the same offender tries again later, Snort will detect and block the traffic again just like it did the first time. There is no benefit to loading up the snort2c table with thousands of persisted IP addresses by never clearing the table.

Actions #2

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Not a Bug
Actions

Also available in: Atom PDF