Bug #14858
closed
Possible SNORT Regression with Remove Blocked Hosts interval / Alert length of time / duration timer being auto changed timer changed by itself and is deleting blocked hosts at 5 mins when set to never
0%
Description
Hello fellow Redmine community members,
I am having an issue with my Snort �Remove blocked host interval changing automatically. I had it set to never to check all my AppID text files and help create suppress lists with the blocked part off for a while. I changed it to block however it only blocks for 5 mins.
Example from researching:<minute>/20</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 1200 snort2c
I can not find anymore in the config file for snort
all I see that is close is . . .<minute>*/60</minute>
<hour>*</hour>
<day>*</mday>
<month>*</month>
<wday>*</way>
<who>root</who>
<command>/us/bin/nice -n20 /us/local/sbin/expiretable -v -+ 3600 virusprot
Shouldn't this be snort2c?? It seems like something called virusport took over again this could be clamAV
However no matter something has disabled my block interval from never and set it to 5 mins.
I use to have it set to an hour, however today it seems like its only 3-5 mins and clears and I can't change it.
inside of the compilied expiretable program I found something werid it says Entry deleted in clear text.
: Entry deleted.������%QQQ*QQQQ/QQQQQ�QQQQQQQQQQQQQQQQ%QQQ*QQQQ/QQQQQ�ÚÚÚÚÚÚÚÚÚ�ÚÚÚÚÚ�����b �����b �����b �����2 �����b �����b �����Û �����b �����¥ �����;¥������$�–���p�Ë���|����à���ƒ�8��|�h��†�Ä��Ã�†��\ �¿��$�¯��‡� ��§�H��L�h��‡�à��†�∞��`�ÿ��
It should not auto change to 5 mins
Files
Updated by Bill Meeks over 1 year ago
I'm not following the problem description in this ticket at all. There is no relationship between the virusprot table and Snort.
You say you can't find a cron task entry in config.xml for Snort, but then you say you have the Snort "Remove Blocked Hosts" interval set to NEVER. You also posted a screen shot showing that setting. Therefore, it is expected for there to be no Snort cron task entry related to the snort2c table in config.xml .
There have also been no other reports of any similar issue. The "Remove Blocked Hosts" setting is used by many, many Snort users. It would be expected that if a problem existed in that code with it automatically removing or resetting itself, others would have reported it as well.
Updated by Jonathan Lee over 1 year ago
Sorry I had it set to never to help with my AppID text file I made. I had a huge amount of entries I was making a a good surpasses list with. Then later on that day blocks and items started to be removed at around 5 mins. I could not find any entry for snort2c anything inside the config file. I thought maybe my memory ran out as I had many thousand alerts.
It was just off it was working and all the sudden it's removing them at 5 mins when it was still set to never. It was really weird. Many memory ran out
Updated by Jonathan Lee over 1 year ago
This issue was resolved when I saved the interval again can you please close this ticket.
Updated by 
Updated by 
