Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
~~Second, something is causing the firewall rules to reload fairly frequently as nothing stays in the Snort blocklist for more than 30 seconds (which results in issue #1 basically killing off my connection every minute or two) even though the setting is set to 1 hour.
Third, I just tried to disable the "Kill States" option and restart Snort and now it won't come back up. The start button in the UI never turns green and each time I click it I get a new 'snort' process which burns an entire CPU core. Turning Kill States back on doesn't remedy the issue. The system logs show:
Jan 2 12:26:03 php: /snort/snort_interfaces.php: [Snort] Snort START for Verizon FIOS(igb3)… Jan 2 12:26:01 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN… Jan 2 12:26:00 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN… Jan 2 12:25:47 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN … Jan 2 12:25:47 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Verizon FIOS)... ```~~ EDIT: Rebooted and the 2nd & 3rd issues went away. Still have the first problems though. -
Thanks for the fix!
Edit:
For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.
Yeah, I will take a look at Barnyard2. I hate the log spamming as well. I've been waiting for the latest beta version to make it to production and get updated in Fresh Ports. Supposedly the new beta can do a soft restart and re-read the configuration file similar to the way Snort does it. That would mean you could update Barnyard2 settings without actually stopping and restarting the daemon.
Bill
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
-
And if it is possible to make add a selection for the date format then that would make me very happy.
For me the MM/DD/YY format is very illogical. I prefer DD/MM/YY (or YY/MM/DD). Then I don't think it's 2 Feb. today ;)
I know this may be confusing with the other logs, so maybe I should put in a request for a common pfSense selection for the date format.Dick
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
-
I'm having a few issues with the 2.9.5.5 builds.
First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.
Are you sure this is isolated to just the 2.9.5.5 binary build? I'm asking because nothing was changed in the blocking part of Snort with the new binary version. That code has been static since at least 2.9.4.1 of the Snort binary. I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.
Bill
No, I'm not sure about that. I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.
I will look through that Spoink plugin code again to see if anything jumps out. I think Ermal made the last major updates to that quite some time back (maybe like two years or so, if I remember correctly).
Bill
-
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
-
@BBcan17:
I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?
This was an old bug that I slayed (or thought I did). Might have "regressed some code by accident". Let me see if I can reproduce. If the bug is back, I will fix it in the next update that is in the works.
@BBcan17:
A suggestion for the new snort Update.
In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.
Would be nice to add the "!" Internal DNS button in snort also.
I will look into doing this. I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
Bill
-
Thanks Bill.
I agree having a smaller popup window for dnsstuff would be great.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
-
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
-
@BBcan17:
I sort of didn't really like the way the current code takes you away from the window anyway. Having a smaller pop-up window would be handier, and then the other link for more details.
I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?
Not sure. I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.
Bill
-
@BBcan17:
Thanks Bill.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
I like this idea. Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though. Still it would be a neat option.
UPDATE – see my post further down below. I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
Bill -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
-
That's Great news. Can't wait to test it out.
-
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
Great will test it as soon as possible.
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place. -
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
-
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.
That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
Yep, I will just bump the 2.9.5.6 package to 3.0.4 when it is published.
Bill
