Snort Pkg 2.5.8 Change Log and Screenshots

bmeeks

This release of the Snort Package introduces some new features and polishes up some old ones a bit.

New or Improved Features

12.  New CARP Sync Feature  This version of the Snort package revives an old feature – the ability to synchronize the Snort configurations of several firewalls.  Thanks to forum member Marcelloc for the code behind this feature.  There is now a Sync tab on the main menu where you can select target destination hosts to receive copies of the configuration from a Master host.  This code is still considered experimental and may not be ready for production use.  Use at your own risk in a production environment.  However, for those brave souls willing to test the feature, we welcome feedback on your experiences (the good ones and the bad ones).

Read the cautions and warnings on the page carefully!  You can create a fatal loop condition if you try to sync a master to a secondary and then that secondary back to the same master.  You should only have ONE master (the Master is the machine that is never a sync target).  When you enable this feature, you have the option of commanding the remote target hosts to download fresh rules during the sync process.  Be aware this will take several seconds to complete, and in this version of the sync code the Master host will wait until the remote target completes the rule download and local rebuild before proceeding.  This means the sync process can take a while if you have configured multiple target hosts.  The option to download fresh rules on sync is configurable.  In the future the plan is to spawn the rules download and rebuild process on the secondary target hosts as a background process so the Master does not have to wait.  For now, though, the Master will wait on each Secondary Host Target to complete the rules download and rebuild before proceeding.   You also have the option of automatically starting Snort on the remote host if it is not already running.  This Snort auto-start process is spawned off into the background at present and the Master will not wait on Snort to restart on the Secondary Targets.

A decent amount of message logging is performed on the destination target hosts.  Look in the system log for messages tagged with:

[snort] XMLRPC pkg sync:

Supermule

The community owes you SO much for this Bill!!

We cannot thank you enough for this and all the time you have spent on bettering it and making it run stable on PfSense!

Clear-Pixel

Thanks for your contributions bmeeks …. We salute you, and look forward to future security enhancements.

shinzo

Thank you for adding the frag3 and stream5 settings to the gui.  I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

bmeeks

@shinzo:

Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

gogol

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

bmeeks

@gogol:

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

That is already on my radar.  I am working on that in my test setups now.  Having some trouble with my 2.1 Builder VM, and that has slowed me down on the Snort 2.9.4.6 effort.

Bill

shinzo

@bmeeks:

@shinzo:

Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

thanks i look forward to it :D

kilthro

Thanks for your continued work on this package Bill. I am really loving all the new features you have been incorporating into Snort.  Shout out to marcelloc too for assisting on some of the items.

asbirim

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

changes are below.

results attached.
thanks.

/usr/local/pkg/snort/snort.inc

global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename, $snortrmblocktable;

$snortrmblocktable=$config['installedpackages']['snortglobal']['snortrmblocktable'];
if(trim($snortrmblocktable)=="")
	$snortrmblocktable="snort2c";

function snort_get_blocked_ips() {
	global $snortrmblocktable;
	$blocked_ips = "";
	exec("/sbin/pfctl -t $snortrmblocktable -T show", $blocked_ips);
	$blocked_ips_array = array();
	if (!empty($blocked_ips)) {
		$blocked_ips_array = array();
		if (is_array($blocked_ips)) {
			foreach ($blocked_ips as $blocked_ip) {
				if (empty($blocked_ip))
					continue;
				$blocked_ips_array[] = trim($blocked_ip, " \n\t");
			}
		}
	}

	return $blocked_ips_array;
}

function snort_rm_blocked_install_cron($should_install) {
	global $config, $g, $snortrmblocktable;

	if (!is_array($config['cron']['item']))
		$config['cron']['item'] = array();

	$x=0;
	$is_installed = false;
	foreach($config['cron']['item'] as $item) {
		if (strstr($item['command'], "$snortrmblocktable")) {
			$is_installed = true;
			break;
		}
		$x++;
	}
.
.
.
.
	case true:
		$cron_item = array();
		$cron_item['minute'] = "$snort_rm_blocked_min";
		$cron_item['hour'] = "$snort_rm_blocked_hr";
		$cron_item['mday'] = "$snort_rm_blocked_mday";
		$cron_item['month'] = "$snort_rm_blocked_month";
		$cron_item['wday'] = "$snort_rm_blocked_wday";
		$cron_item['who'] = "root";
		$cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire $snortrmblocktable";

		/* Add cron job if not already installed, else just update the existing one */
		if (!$is_installed) 
			$config['cron']['item'][] = $cron_item;
		elseif ($is_installed)
			$config['cron']['item'][$x] = $cron_item;
		break;
	case false:
		if ($is_installed == true)
			unset($config['cron']['item'][$x]);
		break;
	}
}

function snort_deinstall() {

	global $config, $g, $snort_rules_upd_log, $snortrmblocktable;
.
.
.
/* Remove all the Snort cron jobs. */
	snort_deinstall_cron("$snortrmblocktable");

function snort_generate_conf($snortcfg) {

	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $snortrmblocktable;
.
.
.
@file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
		$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},$snortrmblocktable,{$snortcfg['blockoffendersip']},{$pfkill}";

/usr/local/www/snort/snort_blocked.php

if ($_POST['todelete'] || $_GET['todelete']) {
	$ip = "";
	if($_POST['todelete'])
		$ip = $_POST['todelete'];
	else if($_GET['todelete'])
		$ip = $_GET['todelete'];
	if (is_ipaddr($ip))
		exec("/sbin/pfctl -t $snortrmblocktable -T delete {$ip}");
}

if ($_POST['remove']) {
	exec("/sbin/pfctl -t $snortrmblocktable -T flush");
	header("Location: /snort/snort_blocked.php");
	exit;
}

/* TODO: build a file with block ip and disc */
if ($_POST['download'])
{
	$blocked_ips_array_save = "";
	exec('/sbin/pfctl -t $snortrmblocktable -T show', $blocked_ips_array_save);

/usr/local/www/snort/snort_interfaces_global.php

$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
$pconfig['snortrmblocktable'] = $config['installedpackages']['snortglobal']['snortrmblocktable'];

		$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
		$config['installedpackages']['snortglobal']['snortrmblocktable'] = $_POST['snortrmblocktable'];	

	**', '**'); ?>

				  ', ''); ?>


bmeeks

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

asbirim

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

bmeeks

@asbirim:

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

The proper way to do this would be with your own Custom Rules in Snort.  The current package gives you that capability.  You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

Bill

marcelloc

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

bmeeks

@marcelloc:

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

Oh…OK.  I wasn't initially understanding his intent.  I'm not sure this idea really fits into what Snort is about, though.  Sounds more like something for one of the other packages like pfBlocker perhaps.

Bill