Project

General

Profile

Bug #5932

Suricata / Alerts - can't clear alerts

Added by Ivor Kreso about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ivor Kreso
Category:
Suricata
Target version:
Start date:
02/26/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

Under Suricata / Alerts I can't seem to clear alert entries. Clicking on Clear button shows two popups but doesn't clear alerts.

Suricata alerts 1.png (125 KB) Suricata alerts 1.png Raul Ramos, 02/27/2016 06:04 AM
Suricata alerts 2.png (140 KB) Suricata alerts 2.png Raul Ramos, 02/27/2016 06:04 AM

History

#1 Updated by Steve Beaver about 3 years ago

  • Status changed from New to Feedback
  • Assignee changed from Steve Beaver to Ivor Kreso

Screenshot please :)

#2 Updated by Raul Ramos about 3 years ago

Hi

New Suricata installation. Nothing fancy.

Add Snort VRT Rules. Add 2 Interfaces configured with resolve flowbits and IPS Policy balanced and change somme logs mgmt settings: Remove Snort Logs On Package Uninstall check; Auto Log Management check; Log Directory Size Limit check and limite some sizes and retention options.

Press "Clear" on Alerts tab appears the first popup, after ok appears the second and and i think a third one to confirm, but nothin. Can't add SIDs to suppress list to.

https://forum.pfsense.org/index.php?topic=107496.0

#3 Updated by Steve Beaver about 3 years ago

Thanks Ivor, that helps. This package is so complex I need very specific guidance :)

#4 Updated by Bill Meeks about 3 years ago

For what it's worth, I now see this same error in the Snort package on Bootstrap. This was not happening in the recent past. Did something change in the way the auto-confirm stuff happens when using the fa-trash icon on a delete button?

I don't recall ever seeing that "can't delete last row" message, and I'm pretty sure clearing the logs worked in earlier Bootstrap snapshots (or at least I'm pretty sure).

Bill Meeks

#5 Updated by Bill Meeks about 3 years ago

Found the problem with clearing the ALERTS tab and log file. Naming the form button with the ID "delete" seems to trigger some jQuery stuff in pfSenseHelpers.js that intercepts the workflow. That should not be happening with the button on the ALERTS tab. To fix it, change the ID to "clear" like this:


$group->add(new Form_Button(
    'clear',
    'Clear',
    null,
    'fa-trash'
))->removeClass('btn-default')->addClass('btn-danger btn-sm')
  ->setHelp('The active alerts log will be cleared');

Also note that the help text is a little misleading and should instead read as shown above.

Once the form button is renamed, the code handling the $_POST needs to change as shown below:


if ($_POST['clear']) {
    suricata_post_delete_logs($suricata_uuid);
    $fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+");
    if ($fd)
        fclose($fd);
    /* XXX: This is needed if suricata is run as suricata user */
    mwexec('/bin/chmod 660 {$suricatalogdir}*', true);
    header("Location: /suricata/suricata_alerts.php?instance={$instanceid}");
    exit;
}

The problem with adding a SUPPRESS LIST entry not working is caused by the new font-awesome icon not generating a form.submit() call when clicked. Some additional code is needed to set a mode field (add src_ip, dst_ip, etc.), an IP address field and then submit the form when the icon is clicked. I have this working in the Snort package Bootstrap GUI and will be happy to share the file. The relevant code can be copied out and used in Suricata.

Bill

#6 Updated by Steve Beaver about 3 years ago

Fixed

#7 Updated by Renato Botelho about 3 years ago

  • Status changed from Feedback to Resolved

Ivon confirmed the fix works

#8 Updated by Chris Buechler about 3 years ago

  • Affected Version set to 2.3

Also available in: Atom PDF