Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes
-
Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?
This should be fixed in an update posted today (January 2, 2014). The update was very minor and so I did not bump the package version number. Hence no update will show in the Installed Packages tab. Nonetheless, if you click the XML icon there to reinstall the package GUI components, you will get the updated PHP code for the Alerts tab.
Bill
-
It doesnt update automagically every 22 seconds Bill on 2.0.3.
I havent got a 2.1 box yet hence all the issues :D
-
It doesnt update automagically every 22 seconds Bill on 2.0.3.
I havent got a 2.1 box yet hence all the issues :D
I will test this out in my VMware environment to see if it works properly on 2.1. If not, I will have to get up with jimp to see about a fix.
Bill
-
Thumbs up mate!!
-
Thanks for the fix!
Edit:
For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
~~Second, something is causing the firewall rules to reload fairly frequently as nothing stays in the Snort blocklist for more than 30 seconds (which results in issue #1 basically killing off my connection every minute or two) even though the setting is set to 1 hour.
Third, I just tried to disable the "Kill States" option and restart Snort and now it won't come back up. The start button in the UI never turns green and each time I click it I get a new 'snort' process which burns an entire CPU core. Turning Kill States back on doesn't remedy the issue. The system logs show:
Jan 2 12:26:03 php: /snort/snort_interfaces.php: [Snort] Snort START for Verizon FIOS(igb3)… Jan 2 12:26:01 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN… Jan 2 12:26:00 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN… Jan 2 12:25:47 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN … Jan 2 12:25:47 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Verizon FIOS)... ```~~ EDIT: Rebooted and the 2nd & 3rd issues went away. Still have the first problems though. -
Thanks for the fix!
Edit:
For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.
Yeah, I will take a look at Barnyard2. I hate the log spamming as well. I've been waiting for the latest beta version to make it to production and get updated in Fresh Ports. Supposedly the new beta can do a soft restart and re-read the configuration file similar to the way Snort does it. That would mean you could update Barnyard2 settings without actually stopping and restarting the daemon.
Bill
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
-
And if it is possible to make add a selection for the date format then that would make me very happy.
For me the MM/DD/YY format is very illogical. I prefer DD/MM/YY (or YY/MM/DD). Then I don't think it's 2 Feb. today ;)
I know this may be confusing with the other logs, so maybe I should put in a request for a common pfSense selection for the date format.Dick
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
I will look through that Spoink plugin code again to see if anything jumps out. I think Ermal made the last major updates to that quite some time back (maybe like two years or so, if I remember correctly).
Bill
-
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
-
@BBcan17:
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
This was an old bug that I slayed (or thought I did). Might have "regressed some code by accident". Let me see if I can reproduce. If the bug is back, I will fix it in the next update that is in the works.
@BBcan17:
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
I will look into doing this. I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
Bill
-
Thanks Bill.
I agree having a smaller popup window for dnsstuff would be great.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
-
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
-
@BBcan17:
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
Not sure. I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.
Bill
-
@BBcan17:
Thanks Bill.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
I like this idea. Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though. Still it would be a neat option.
UPDATE – see my post further down below. I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
Bill -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
-
That's Great news. Can't wait to test it out.
