Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes
-
On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.
-
… and the problem flows through to the Dashboard Widget, resulting in the most current alerts not being displayed.
-
As said….not an issue on 2.0.3 for me.
-
On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.
I checked on my production firewall and indeed the default sort appears to be putting the December 31, 2013 events above the January 2014 events. However, you can click the DATE column header on the Alerts tab and sort the alerts so the January 01, 2014 events are at the top. See the screenshot below showing the sorted list. This is from a 2.1-RELEASE pfSense firewall.
Bill
-
On 2.0.3 it seems fine Bill.
-
On 2.0.3 it seems fine Bill.
OK. I just edited/replaced my original reply above with updated info. I will check the Dashboard Widget next on 2.1.
Bill
-
OK, found a "sort of fix" for the Snort Alerts Dashboard Widget. It keys off the "sort setting" for the System Log. If you have your system log entries displaying in reverse order, then the Snort Alerts Widget sorts the same way. If you toggle System Log entries to display in "normal order", then the Snort Alerts Widget sorts correctly.
The problem here is, I think, in the sorting logic of the System Log. When toggled to display in "reverse" (that is, newest entries displayed first), it sorts the leading zero improperly in the timestamp. The same problem is copied over into the Snort Widget code by the original author.
Bill
-
The log in Snort on the alerts table has the problem even on 2.0.3.
The widget doesnt.
-
The log in Snort on the alerts table has the problem even on 2.0.3.
The widget doesnt.
Fixing the sorting will take a little extra magic to handle the leading zero or one in the months. Sorting as a plain string won't work. I will see if I can make it smarter.
Bill
-
Fixing the sort turned out to be easier than I thought it would. I fixed both the ALERTS tab display and the Snort Alerts Widget. Let me test a wee bit more to be sure there are no unintended consequences from the fixes, then I will submit a Pull Request for a minor update to the Snort package and the Dashboard Alerts Widget.
Bill
-
When doing so Bill, cant you try to import the code from the traffic graph widgets since they have an interval function built in to update the Snort alert widget without refreshing the whole page…
-
When doing so Bill, cant you try to import the code from the traffic graph widgets since they have an interval function built in to update the Snort alert widget without refreshing the whole page…
Well, it's too late for this Widget fix. Ermal merged the update this morning. The current widget should be updating every 22 seconds if I understand the code correctly. I think jimp originally wrote it. His name is in the copyright info at the top of the source code.
There also may be a problem with the older 2.0.3 pfSense code with respect to JavaScript callbacks for the active refresh. Not sure, though. I will test on my 2.1 install to see if it auto-refreshes the Snort Alerts frame.
Bill
-
Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?
This should be fixed in an update posted today (January 2, 2014). The update was very minor and so I did not bump the package version number. Hence no update will show in the Installed Packages tab. Nonetheless, if you click the XML icon there to reinstall the package GUI components, you will get the updated PHP code for the Alerts tab.
Bill
-
It doesnt update automagically every 22 seconds Bill on 2.0.3.
I havent got a 2.1 box yet hence all the issues :D
-
It doesnt update automagically every 22 seconds Bill on 2.0.3.
I havent got a 2.1 box yet hence all the issues :D
I will test this out in my VMware environment to see if it works properly on 2.1. If not, I will have to get up with jimp to see about a fix.
Bill
-
Thumbs up mate!!
-
Thanks for the fix!
Edit:
For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
~~Second, something is causing the firewall rules to reload fairly frequently as nothing stays in the Snort blocklist for more than 30 seconds (which results in issue #1 basically killing off my connection every minute or two) even though the setting is set to 1 hour.
Third, I just tried to disable the "Kill States" option and restart Snort and now it won't come back up. The start button in the UI never turns green and each time I click it I get a new 'snort' process which burns an entire CPU core. Turning Kill States back on doesn't remedy the issue. The system logs show:
Jan 2 12:26:03 php: /snort/snort_interfaces.php: [Snort] Snort START for Verizon FIOS(igb3)… Jan 2 12:26:01 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN… Jan 2 12:26:00 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN… Jan 2 12:25:47 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN … Jan 2 12:25:47 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Verizon FIOS)... ```~~ EDIT: Rebooted and the 2nd & 3rd issues went away. Still have the first problems though.
-
Thanks for the fix!
Edit:
For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.
Yeah, I will take a look at Barnyard2. I hate the log spamming as well. I've been waiting for the latest beta version to make it to production and get updated in Fresh Ports. Supposedly the new beta can do a soft restart and re-read the configuration file similar to the way Snort does it. That would mean you could update Barnyard2 settings without actually stopping and restarting the daemon.
Bill
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
-
And if it is possible to make add a selection for the date format then that would make me very happy.
For me the MM/DD/YY format is very illogical. I prefer DD/MM/YY (or YY/MM/DD). Then I don't think it's 2 Feb. today ;)
I know this may be confusing with the other logs, so maybe I should put in a request for a common pfSense selection for the date format.Dick
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
I will look through that Spoink plugin code again to see if anything jumps out. I think Ermal made the last major updates to that quite some time back (maybe like two years or so, if I remember correctly).
Bill
-
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
-
@BBcan17:
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
This was an old bug that I slayed (or thought I did). Might have "regressed some code by accident". Let me see if I can reproduce. If the bug is back, I will fix it in the next update that is in the works.
@BBcan17:
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
I will look into doing this. I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
Bill
-
Thanks Bill.
I agree having a smaller popup window for dnsstuff would be great.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
-
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
-
@BBcan17:
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
Not sure. I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.
Bill
-
@BBcan17:
Thanks Bill.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
I like this idea. Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though. Still it would be a neat option.
UPDATE – see my post further down below. I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
Bill -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
-
That's Great news. Can't wait to test it out.
-
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
Great will test it as soon as possible.
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place. -
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
-
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.
That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
Yep, I will just bump the 2.9.5.6 package to 3.0.4 when it is published.
Bill
-
I have looked at the following: http://seclists.org/fulldisclosure/2014/Jan/187
Are there any issues to skip this update and wait for the 3.0.3 release?
-
@BBcan17:
I have looked at the following: http://seclists.org/fulldisclosure/2014/Jan/187
Are there any issues to skip this update and wait for the 3.0.3 release?
No, the 3.0.3 just pushed is exactly the same as the current 3.0.2 except for one changed file. I did find one other similar vulnerability in a different file that I will fix in 3.0.4.
Bill
-
Quick note on 3.0.3:
In the Snort services page it still displays 3.0.2 in the header