Bug #10326
closed
Snort - Blocked Alert - Show IP but Description loss -> "Alert Description No Longer Available"
0%
Description
Snort v 3.2.9.10
Package Dependencies:
snort-2.9.15 barnyard2-1.13_1
In the blocked tab show data in the IP Column, but Alert Descriptions and Event Times Columns, after some time, it lose the data and only show the message show "Alert Description No Longer Available"
As see in the attach image.
That mean snort2c have data (IP) but I don't know what happen with the Description.
Thanks
Files
Updated by Bill Meeks about 5 years ago
This is not a bug. It's caused by the alert log file getting purged by either getting rotated as part of the periodic logs management tasks (when enabled) or else the alerts were manually cleared by the user.
The BLOCKS tab scans the snort2c table to see what IP addresses are currently being blocked and then displays them. In an attempt to add some context metadata to the listed blocks, the code will check the currently active alerts log to see if any of the IP addresses have records in the alerts log. If they do, some info is pulled from the alerts log for display. If not, then the BLOCKS tab shows "not available" for this metadata.
The typical use case is for the "Remove Blocked Hosts" setting on the GLOBAL SETTINGS tab to be configured for a relatively short interval (an hour is good). With that setup, the alerts log is not likely to get rotated and purged while an IP is being actively blocked. If the user chooses to never clear Snort blocks or has the automatic removal interval set way out there, then it is possible the alerts log will get purged before the blocked IP is removed.
There is no reason to persist blocks for long periods. One hour is more than enough. If the same offender tries again later, Snort will detect and block the traffic again just like it did the first time. There is no benefit to loading up the snort2c table with thousands of persisted IP addresses by never clearing the table.
Updated by 