Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.6 pkg v2.6.0 Update

    Scheduled Pinned Locked Moved pfSense Packages
    61 Posts 16 Posters 17.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo
      last edited by

      Hey!

      Just updated 3rd production box on 2.1.
      Thanks again, the thing is flying now because just 1 process is created :)

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @maverick_slo:

        Hey!

        Just updated 3rd production box on 2.1.
        Thanks again, the thing is flying now because just 1 process is created :)

        Glad to hear things are improved by this update  :)

        For other users still on 2.0.3 –
        The 2.0.3 binary packages also finished rebuilding and are now posted.  This is the same Snort binary version as before (2.9.4.6), but it contains a fix for the SMTP preprocessor not correctly supporting a soft restart.  The PBI package for 2.1 users already contains the new binary, so 2.1 users are good.  If any 2.0.3 users updated Snort since yesterday, I suggest you do a quick remove and re-install to pick up the newest binary.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          pfSenseRocks
          last edited by

          In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected.  :D

          Thanks for the hard working for this update, Bill.

          1 Reply Last reply Reply Quote 0
          • C
            ccb056
            last edited by

            @bmeeks:

            An update to the Snort package has been posted.  This update fixes a few bugs and adds a handful of new features.

            • Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.

            The actual changes to the code files can be found here:  https://github.com/pfsense/pfsense-packages/pull/514

            Bill

            Thanks Bill!! :)

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @ccb056:

              @bmeeks:

              An update to the Snort package has been posted.  This update fixes a few bugs and adds a handful of new features.

              • Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.

              The actual changes to the code files can be found here:  https://github.com/pfsense/pfsense-packages/pull/514

              Bill

              Thanks Bill!! :)

              I thought this feature might be useful and popular, but it may be a little ragged around the edges on the first attempt.  Let me know if you see any weird things.  One user has already reported some duplicate IPs getting added to the whitelist.

              Also realize that for now, these FQDN aliases are only resolved during a Snort startup.  So they are not truly realtime yet.

              Bill

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @pfSenseRocks:

                In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected.  :D

                Thanks for the hard working for this update, Bill.

                Not sure anything I changed would impact the memory footprint other than eliminating the duplicate processes.

                Bill

                1 Reply Last reply Reply Quote 0
                • F
                  fragged
                  last edited by

                  Thanks for the update!

                  Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?

                  1 Reply Last reply Reply Quote 0
                  • N
                    newbieuser1234
                    last edited by

                    I'm on 2.5.9 and just upgraded to 2.1 on 32 bit.  I have my block removal set to never remove, but I noticed several times that I have a large amount of alerts, but the blocked list gets reset frequently.  I haven't powered down the box.  Any suggestions? I plan on upgrading to 2.6 tonight, but just wondering if anyone else was experiencing this?

                    1 Reply Last reply Reply Quote 0
                    • F
                      fragged
                      last edited by

                      pfSense function filter_reload will clear the snort2c list, like mentioned on a gazillion threads since 2.1 was released :)

                      1 Reply Last reply Reply Quote 0
                      • N
                        newbieuser1234
                        last edited by

                        Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue.  Thanks.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @newbieuser1234:

                          Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue.  Thanks.

                          I don't think it is a bug in Snort so much as it is a change in behavior of 2.1 pfSense.  I changed nothing in Snort relative to the blocking functions.  In fact, those haven't changed in many, many months.  Instead, 2.1 pfSense is doing something differently in regards to clearing the pf blocking tables.

                          I will investigate to see if there is anything I can do on the Snort side of things to cope with this.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • N
                            newbieuser1234
                            last edited by

                            Awesome. Thanks again for creating this package. It's a great one.  What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @newbieuser1234:

                              Awesome. Thanks again for creating this package. It's a great one.  What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?

                              I think the general feeling is the open-source Snort software and rules will survive despite the Cisco acquisition.  But nobody really knows for sure but the Cisco bosses.

                              One minor correction.  I did not create the Snort package on pfSense.  That was the work of several others in the distant past.  I just sort of became the default maintainer late in 2012 when I submitted some fixes and a few new features.  Thanks for the kind words, though.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                @fragged:

                                Thanks for the update!

                                Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?

                                Aliases live in the config.xml file and might be reloaded on a filter reload call.  Don't now for sure, though.  I can look through the pfBlocker package code and see where it stores its block list and how it protects it.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • N
                                  newbieuser1234
                                  last edited by

                                  Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    Well - If the Cisco acquisition of SNORT effects things and 90% or so of the group goes with Cisco, then get a new group.  Call it something else and continue on.  SNIFF (TM) is a good name…

                                    And if the band you're in starts playing different tunes...

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @newbieuser1234:

                                      Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?

                                      No I don't, but I also don't think it is necessarily on a regularly scheduled basis.  I really don't know much about that process.  Guess I need to dig in and learn.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned
                                        last edited by

                                        I get this when trying to upgrade a 2.0.3 box…

                                        Beginning package installation for snort...
                                        Downloading package configuration file... done.
                                        Saving updated package information... done.
                                        Downloading snort and its dependencies...
                                        Checking for package installation...
                                        Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.12.tbz ...  (extracting)

                                        Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
                                        of barnyard2-1.12 failed!

                                        Installation aborted.Backing up libraries...
                                        Removing package...
                                        Starting package deletion for mysql-client-5.5.30...done.
                                        Starting package deletion for barnyard2-1.12...done.
                                        Starting package deletion for libnet11-1.1.6,1...done.
                                        Skipping package deletion for libdnet-1.11_3 because it is a dependency.
                                        Starting package deletion for libpcap-1.3.0...done.
                                        Starting package deletion for daq-2.0.0...done.
                                        Starting package deletion for snort-2.9.4.6...done.
                                        Removing snort components...
                                        Menu items... done.
                                        Services... done.
                                        Loading package instructions...
                                        Include file snort.inc could not be found for inclusion.
                                        Deinstall commands...
                                        Not executing custom deinstall hook because an include is missing.
                                        Removing package instructions...done.
                                        Auxiliary files... done.
                                        Package XML... done.
                                        Configuration... done.
                                        Cleaning up... Failed to install package.

                                        Installation halted.

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          newbieuser1234
                                          last edited by

                                          Supermule, how much do you pay for your connection a month or do you work at an ISP?  That speed is nuts.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            Supermule Banned
                                            last edited by

                                            :D That is what I offer to my clients in my VDI environment.

                                            All sitting on 10Gbit backbone direct to the internet exchange :)

                                            @newbieuser1234:

                                            Supermule, how much do you pay for your connection a month or do you work at an ISP?  That speed is nuts.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.