Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes

    Scheduled Pinned Locked Moved pfSense Packages
    65 Posts 11 Posters 18.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @fragged:

      Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?

      This should be fixed in an update posted today (January 2, 2014).  The update was very minor and so I did not bump the package version number.  Hence no update will show in the Installed Packages tab.  Nonetheless, if you click the XML icon there to reinstall the package GUI components, you will get the updated PHP code for the Alerts tab.

      Bill

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        It doesnt update automagically every 22 seconds Bill on 2.0.3.

        I havent got a 2.1 box yet hence all the issues :D

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @Supermule:

          It doesnt update automagically every 22 seconds Bill on 2.0.3.

          I havent got a 2.1 box yet hence all the issues :D

          I will test this out in my VMware environment to see if it works properly on 2.1.  If not, I will have to get up with jimp to see about a fix.

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Thumbs up mate!!

            1 Reply Last reply Reply Quote 0
            • F
              fragged
              last edited by

              Thanks for the fix!

              Edit:

              For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.

              1 Reply Last reply Reply Quote 0
              • J
                jasonlitka
                last edited by

                I'm having a few issues with the 2.9.5.5 builds.

                First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

                ~~Second, something is causing the firewall rules to reload fairly frequently as nothing stays in the Snort blocklist for more than 30 seconds (which results in issue #1 basically killing off my connection every minute or two) even though the setting is set to 1 hour.

                Third, I just tried to disable the "Kill States" option and restart Snort and now it won't come back up.  The start button in the UI never turns green and each time I click it I get a new 'snort' process which burns an entire CPU core.  Turning Kill States back on doesn't remedy the issue.  The system logs show:

                Jan 2 12:26:03	php: /snort/snort_interfaces.php: [Snort] Snort START for Verizon FIOS(igb3)…
                Jan 2 12:26:01	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
                Jan 2 12:26:00	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
                Jan 2 12:25:47	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
                Jan 2 12:25:47	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Verizon FIOS)...
                ```~~
                
                EDIT: Rebooted and the 2nd & 3rd issues went away.  Still have the first problems though.

                I can break anything.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @fragged:

                  Thanks for the fix!

                  Edit:

                  For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.

                  Yeah, I will take a look at Barnyard2.  I hate the log spamming as well.  I've been waiting for the latest beta version to make it to production and get updated in Fresh Ports.  Supposedly the new beta can do a soft restart and re-read the configuration file similar to the way Snort does it.  That would mean you could update Barnyard2 settings without actually stopping and restarting the daemon.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @Jason:

                    I'm having a few issues with the 2.9.5.5 builds.

                    First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

                    Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • D
                      DickB
                      last edited by

                      And if it is possible to make add a selection for the date format then that would make me very happy.
                      For me the MM/DD/YY format is very illogical. I prefer DD/MM/YY (or YY/MM/DD). Then I don't think it's 2 Feb. today  ;)
                      I know this may be confusing with the other logs, so maybe I should put in a request for a common pfSense selection for the date format.

                      Dick

                      1 Reply Last reply Reply Quote 0
                      • J
                        jasonlitka
                        last edited by

                        @bmeeks:

                        @Jason:

                        I'm having a few issues with the 2.9.5.5 builds.

                        First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

                        Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

                        Bill

                        No, I'm not sure about that.  I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.

                        I can break anything.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @Jason:

                          @bmeeks:

                          @Jason:

                          I'm having a few issues with the 2.9.5.5 builds.

                          First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

                          Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

                          Bill

                          No, I'm not sure about that.  I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.

                          I will look through that Spoink plugin code again to see if anything jumps out.  I think Ermal made the last major updates to that quite some time back (maybe like two years or so, if I remember correctly).

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?

                            A suggestion for the new snort Update.

                            In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.

                            Would be nice to add the "!" Internal DNS button in snort also.

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @BBcan17:

                              I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?

                              This was an old bug that I slayed (or thought I did).  Might have "regressed some code by accident".  Let me see if I can reproduce.  If the bug is back, I will fix it in the next update that is in the works.

                              @BBcan17:

                              A suggestion for the new snort Update.

                              In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.

                              Would be nice to add the "!" Internal DNS button in snort also.

                              I will look into doing this.  I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator
                                last edited by

                                Thanks Bill.

                                I agree having a smaller popup window for dnsstuff would be great.

                                Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?

                                Keep up the great work.

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator
                                  last edited by

                                  @bmeeks:

                                  I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

                                  I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    @BBcan17:

                                    @bmeeks:

                                    I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

                                    I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?

                                    Not sure.  I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @BBcan17:

                                      Thanks Bill.

                                      Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?

                                      Keep up the great work.

                                      I like this idea.  Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though.  Still it would be a neat option.

                                      UPDATE – see my post further down below.  I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        digdug3
                                        last edited by

                                        I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
                                        Snort works/installs perfectly and the blocks are back.
                                        ;D

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by

                                          @digdug3:

                                          I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
                                          Snort works/installs perfectly and the blocks are back.
                                          ;D

                                          Great news indeed (on the blocks staying in place)!  I have a Snort update pretty much ready to go.  It will bump the binary to 2.9.5.6.  I am also adding two new GUI features and enhancing another one a bit.  The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs.  One of the two new features is complete management of all the rules now, including decoder and preprocessor rules.  You can selectively enable/disable these just like the other text rules.  The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • BBcan177B
                                            BBcan177 Moderator
                                            last edited by

                                            That's Great news. Can't wait to test it out.

                                            "Experience is something you don't get until just after you need it."

                                            Website: http://pfBlockerNG.com
                                            Twitter: @BBcan177  #pfBlockerNG
                                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.