Snort Pkg 2.5.8 Change Log and Screenshots

bmeeks

Thank you for adding the frag3 and stream5 settings to the gui. I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again. The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses. Snort (the binary) allows this, but the GUI was just not originally set up that way. It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it. I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it. So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

gogol

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

bmeeks

@gogol:

I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

That is already on my radar. I am working on that in my test setups now. Having some trouble with my 2.1 Builder VM, and that has slowed me down on the Snort 2.9.4.6 effort.

Bill

shinzo

@bmeeks:

@shinzo:

Thank you for adding the frag3 and stream5 settings to the gui. I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

But thanks again. The only reason i keep using pfsense is because of the wonderful updates to the snort package.

The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses. Snort (the binary) allows this, but the GUI was just not originally set up that way. It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it. I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it. So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

Bill

thanks i look forward to it :D

kilthro

Thanks for your continued work on this package Bill. I am really loving all the new features you have been incorporating into Snort. Shout out to marcelloc too for assisting on some of the items.

asbirim

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias. can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

changes are below.

results attached.
thanks.

/usr/local/pkg/snort/snort.inc


global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename, $snortrmblocktable;

$snortrmblocktable=$config['installedpackages']['snortglobal']['snortrmblocktable'];
if(trim($snortrmblocktable)=="")
	$snortrmblocktable="snort2c";


function snort_get_blocked_ips() {
	global $snortrmblocktable;
	$blocked_ips = "";
	exec("/sbin/pfctl -t $snortrmblocktable -T show", $blocked_ips);
	$blocked_ips_array = array();
	if (!empty($blocked_ips)) {
		$blocked_ips_array = array();
		if (is_array($blocked_ips)) {
			foreach ($blocked_ips as $blocked_ip) {
				if (empty($blocked_ip))
					continue;
				$blocked_ips_array[] = trim($blocked_ip, " \n\t");
			}
		}
	}

	return $blocked_ips_array;
}


function snort_rm_blocked_install_cron($should_install) {
	global $config, $g, $snortrmblocktable;

	if (!is_array($config['cron']['item']))
		$config['cron']['item'] = array();

	$x=0;
	$is_installed = false;
	foreach($config['cron']['item'] as $item) {
		if (strstr($item['command'], "$snortrmblocktable")) {
			$is_installed = true;
			break;
		}
		$x++;
	}
.
.
.
.
	case true:
		$cron_item = array();
		$cron_item['minute'] = "$snort_rm_blocked_min";
		$cron_item['hour'] = "$snort_rm_blocked_hr";
		$cron_item['mday'] = "$snort_rm_blocked_mday";
		$cron_item['month'] = "$snort_rm_blocked_month";
		$cron_item['wday'] = "$snort_rm_blocked_wday";
		$cron_item['who'] = "root";
		$cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire $snortrmblocktable";

		/* Add cron job if not already installed, else just update the existing one */
		if (!$is_installed) 
			$config['cron']['item'][] = $cron_item;
		elseif ($is_installed)
			$config['cron']['item'][$x] = $cron_item;
		break;
	case false:
		if ($is_installed == true)
			unset($config['cron']['item'][$x]);
		break;
	}
}


function snort_deinstall() {

	global $config, $g, $snort_rules_upd_log, $snortrmblocktable;
.
.
.
/* Remove all the Snort cron jobs. */
	snort_deinstall_cron("$snortrmblocktable");


function snort_generate_conf($snortcfg) {

	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $snortrmblocktable;
.
.
.
@file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
		$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},$snortrmblocktable,{$snortcfg['blockoffendersip']},{$pfkill}";

/usr/local/www/snort/snort_blocked.php


if ($_POST['todelete'] || $_GET['todelete']) {
	$ip = "";
	if($_POST['todelete'])
		$ip = $_POST['todelete'];
	else if($_GET['todelete'])
		$ip = $_GET['todelete'];
	if (is_ipaddr($ip))
		exec("/sbin/pfctl -t $snortrmblocktable -T delete {$ip}");
}

if ($_POST['remove']) {
	exec("/sbin/pfctl -t $snortrmblocktable -T flush");
	header("Location: /snort/snort_blocked.php");
	exit;
}

/* TODO: build a file with block ip and disc */
if ($_POST['download'])
{
	$blocked_ips_array_save = "";
	exec('/sbin/pfctl -t $snortrmblocktable -T show', $blocked_ips_array_save);

/usr/local/www/snort/snort_interfaces_global.php


$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
$pconfig['snortrmblocktable'] = $config['installedpackages']['snortglobal']['snortrmblocktable'];


		$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
		$config['installedpackages']['snortglobal']['snortrmblocktable'] = $_POST['snortrmblocktable'];


	**', '**'); ?>

				  ', ''); ?>

aliasess.png_thumb

rules.png_thumb

global_settings.png_thumb
![blocked lists.png](/public/imported_attachments/1/blocked lists.png)
![blocked lists.png_thumb](/public/imported_attachments/1/blocked lists.png_thumb)

tables.png_thumb

bmeeks

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias. can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here. Are you using custom Snort rules?

Bill

asbirim

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias. can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here. Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them. because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

bmeeks

@asbirim:

@bmeeks:

@asbirim:

hi, first of all thank you for this great package.

i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias. can you add theese changes to package.

i have basic allow rules like only safe ports allowed.
i am using
block any to any source spammers
at bottom of all others rules. so i can block offenders.

I'm not sure I fully understand what you are doing here. Are you using custom Snort rules?

Bill

i was added screenshots about what i am tyring.

i am trying to use snort blocked offenders list in an alias. so i can totally have control over them. because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

sorry for bad english. i hope i can explain my solution.

The proper way to do this would be with your own Custom Rules in Snort. The current package gives you that capability. You can write Snort rules to block whomever you wish based on traffic content. On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules. You must get the syntax correct before the save will be successful.

Bill

marcelloc

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content. On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules. You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

bmeeks

@marcelloc:

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content. On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules. You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

Oh…OK. I wasn't initially understanding his intent. I'm not sure this idea really fits into what Snort is about, though. Sounds more like something for one of the other packages like pfBlocker perhaps.

Bill