Snort Alerts

The Alerts tab is where alerts generated by Snort may be viewed. If Snort is running on more than one interface, choose the interface to view alerts for in the drop-down selector.

Use the DOWNLOAD button to download a gzip tar file containing all of the logged alerts to a local machine. The CLEAR button is used to erase the current alerts log.

../../_images/snortalerts.png

Alert Details

../../_images/snortalertdetails.png

The Date column shows the date and time the alert was generated. The remaining columns show data from the rule that generated the alert.

In the Source, Destination columns are fa-search icons for performing reverse DNS lookups on the IP addresses as well as a fa-plus-square-regular icon used to add an automatic Suppress List entry for the alert using the IP address and SID (signature ID). This will prevent future alerts from being generated by the rule for that specific IP address only. If either of the Source or Destination addresses are currently being blocked by Snort, then a fa-times icon will also be shown. Clicking that icon will remove the block for the IP address.

The SID column contains two icons. The fa-plus-square-regular icon will automatically add that SID to the Suppress List for the interface and suppress future alerts from the signature for all IP addresses. The fa-times icon in the SID column will disable the rule and remove it from the enforcing rule set. When a rule is manually disabled, the icon in the SID column changes to fa-times-circle.