Snort Pkg 2.5.8 Change Log and Screenshots

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

4.  New Frag3 Options  Several new configurable parameters for the Frag3 preprocessor are now available via the GUI.  See the attached screenshot.  Formerly these parameters were set to hard-coded defaults.  Now they are user-configurable to allow optimization for specific network environments and protected hosts.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

5.  Stream5 Options  Several new user-configurable Stream5 preprocessor parameters are now exposed in the Snort GUI.  See the attached screenshot.  As with the Frag3 preprocessor options mentioned above, these were formerly set to hard-coded defaults.  Now they are configurable by the user to suit different situations.

6. Reset Preprocessors to Defaults  At the bottom of the Preprocessors tab there is now a Reset button that will return all the Preprocessor settings on the page to their default values.  This provides an easy way to return to the "out of the box" setup for the Snort preprocessors.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

7.  New "No Rules Configured" Warning  Snort now provides a warning notification icon on the Snort Interfaces tab whenever a Snort-configured interface is present but for which no enforcing rules have been defined.  See the attached screenshot.  This is to alert the user of a condition where Snort would not be offering protection for the interface (no defined rules equals nothing to alert and block on).

8.  Style Overhaul for Rules Edit page  The Snort Rules Edit page has a bit of a style makeover to more closely match the other Snort pages.  One of the new features on this page is the addition of pop-up tooltip text that shows the full value of any truncated column values.  See the attached screenshot.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

9.  New Flowbits Page  The page for viewing auto-enabled flowbit-required rules was also redesigned to use the same style as the other Snort pages.  Additionally, the new page features a small plus icon (+) next to the SID for any flowbit rule that has the potential of generating an Alert.  These would be flowbit rules without the "no alert" option present in the rule options.  Clicking the plus icon (+) next to the SID will automatically add the flowbit rule's GID:SID to the Suppress List for the interface.

The flowbits resolution logic in this version also correctly handles logical operations involving flowbits (bits and bats to use the unofficial terms).  When parsing flowbits options from rules the package now correctly identifies each individual bits or bats term from the logical operators and ensures the appropriate required flowbit rules are enabled.  See the Snort manual at http://manual.snort.org/node33.html#SECTION004610000000000000000 for more details on flowbits logical operators.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

10.  View Suppress List/Whitelist from Interface Edit page  On the Interface Edit tab you can now directly open up and view the associated Whitelist or Suppress List for the interface.  Next to the drop-down boxes for selecting a Whitelist or Suppress List there is a View List button.  Clicking this button will open the currently selected Whitelist or Suppress List in a small pop-up window for viewing.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

11.  New Alert tab Feature  The Alerts tab has a couple of significant changes.  One is a bug fix to enable proper column text wrapping without extending past the edge of the parent table.  The second change is a modification to an existing feature where you can click the plus icon (+) next to an alert to automatically add the GID:SID to the Suppress List for the interface.  Now, the icon changes color to indicate whether or not the GID:SID is already listed in the Suppress List.  If the icon is grayed-out, that means the GID:SID from the Alert is already present in the Suppress List and will not be generating Block Events.  See the attached screenshot.

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

12.  New CARP Sync Feature  This version of the Snort package revives an old feature – the ability to synchronize the Snort configurations of several firewalls.  Thanks to forum member Marcelloc for the code behind this feature.  There is now a Sync tab on the main menu where you can select target destination hosts to receive copies of the configuration from a Master host.  This code is still considered experimental and may not be ready for production use.  Use at your own risk in a production environment.  However, for those brave souls willing to test the feature, we welcome feedback on your experiences (the good ones and the bad ones).

Read the cautions and warnings on the page carefully!  You can create a fatal loop condition if you try to sync a master to a secondary and then that secondary back to the same master.  You should only have ONE master (the Master is the machine that is never a sync target).  When you enable this feature, you have the option of commanding the remote target hosts to download fresh rules during the sync process.  Be aware this will take several seconds to complete, and in this version of the sync code the Master host will wait until the remote target completes the rule download and local rebuild before proceeding.  This means the sync process can take a while if you have configured multiple target hosts.  The option to download fresh rules on sync is configurable.  In the future the plan is to spawn the rules download and rebuild process on the secondary target hosts as a background process so the Master does not have to wait.  For now, though, the Master will wait on each Secondary Host Target to complete the rules download and rebuild before proceeding.   You also have the option of automatically starting Snort on the remote host if it is not already running.  This Snort auto-start process is spawned off into the background at present and the Master will not wait on Snort to restart on the Secondary Targets.

A decent amount of message logging is performed on the destination target hosts.  Look in the system log for messages tagged with:

[snort] XMLRPC pkg sync:

Supermule

The community owes you SO much for this Bill!!

We cannot thank you enough for this and all the time you have spent on bettering it and making it run stable on PfSense!

Clear-Pixel

Thanks for your contributions bmeeks …. We salute you, and look forward to future security enhancements.

shinzo

Thank you for adding the frag3 and stream5 settings to the gui.  I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

bmeeks

@shinzo:

Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

gogol

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

bmeeks

@gogol:

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

That is already on my radar.  I am working on that in my test setups now.  Having some trouble with my 2.1 Builder VM, and that has slowed me down on the Snort 2.9.4.6 effort.

Bill

shinzo

@bmeeks:

@shinzo:

Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

thanks i look forward to it :D

kilthro

Thanks for your continued work on this package Bill. I am really loving all the new features you have been incorporating into Snort.  Shout out to marcelloc too for assisting on some of the items.

asbirim

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

changes are below.

results attached.
thanks.

/usr/local/pkg/snort/snort.inc

global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename, $snortrmblocktable;

$snortrmblocktable=$config['installedpackages']['snortglobal']['snortrmblocktable'];
if(trim($snortrmblocktable)=="")
	$snortrmblocktable="snort2c";

function snort_get_blocked_ips() {
	global $snortrmblocktable;
	$blocked_ips = "";
	exec("/sbin/pfctl -t $snortrmblocktable -T show", $blocked_ips);
	$blocked_ips_array = array();
	if (!empty($blocked_ips)) {
		$blocked_ips_array = array();
		if (is_array($blocked_ips)) {
			foreach ($blocked_ips as $blocked_ip) {
				if (empty($blocked_ip))
					continue;
				$blocked_ips_array[] = trim($blocked_ip, " \n\t");
			}
		}
	}

	return $blocked_ips_array;
}

function snort_rm_blocked_install_cron($should_install) {
	global $config, $g, $snortrmblocktable;

	if (!is_array($config['cron']['item']))
		$config['cron']['item'] = array();

	$x=0;
	$is_installed = false;
	foreach($config['cron']['item'] as $item) {
		if (strstr($item['command'], "$snortrmblocktable")) {
			$is_installed = true;
			break;
		}
		$x++;
	}
.
.
.
.
	case true:
		$cron_item = array();
		$cron_item['minute'] = "$snort_rm_blocked_min";
		$cron_item['hour'] = "$snort_rm_blocked_hr";
		$cron_item['mday'] = "$snort_rm_blocked_mday";
		$cron_item['month'] = "$snort_rm_blocked_month";
		$cron_item['wday'] = "$snort_rm_blocked_wday";
		$cron_item['who'] = "root";
		$cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire $snortrmblocktable";

		/* Add cron job if not already installed, else just update the existing one */
		if (!$is_installed) 
			$config['cron']['item'][] = $cron_item;
		elseif ($is_installed)
			$config['cron']['item'][$x] = $cron_item;
		break;
	case false:
		if ($is_installed == true)
			unset($config['cron']['item'][$x]);
		break;
	}
}

function snort_deinstall() {

	global $config, $g, $snort_rules_upd_log, $snortrmblocktable;
.
.
.
/* Remove all the Snort cron jobs. */
	snort_deinstall_cron("$snortrmblocktable");

function snort_generate_conf($snortcfg) {

	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $snortrmblocktable;
.
.
.
@file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
		$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},$snortrmblocktable,{$snortcfg['blockoffendersip']},{$pfkill}";

/usr/local/www/snort/snort_blocked.php

if ($_POST['todelete'] || $_GET['todelete']) {
	$ip = "";
	if($_POST['todelete'])
		$ip = $_POST['todelete'];
	else if($_GET['todelete'])
		$ip = $_GET['todelete'];
	if (is_ipaddr($ip))
		exec("/sbin/pfctl -t $snortrmblocktable -T delete {$ip}");
}

if ($_POST['remove']) {
	exec("/sbin/pfctl -t $snortrmblocktable -T flush");
	header("Location: /snort/snort_blocked.php");
	exit;
}

/* TODO: build a file with block ip and disc */
if ($_POST['download'])
{
	$blocked_ips_array_save = "";
	exec('/sbin/pfctl -t $snortrmblocktable -T show', $blocked_ips_array_save);

/usr/local/www/snort/snort_interfaces_global.php

$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
$pconfig['snortrmblocktable'] = $config['installedpackages']['snortglobal']['snortrmblocktable'];

		$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
		$config['installedpackages']['snortglobal']['snortrmblocktable'] = $_POST['snortrmblocktable'];	

	**', '**'); ?>

				  ', ''); ?>


bmeeks

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

asbirim

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

bmeeks

@asbirim:

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

The proper way to do this would be with your own Custom Rules in Snort.  The current package gives you that capability.  You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

Bill

marcelloc

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.