Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes

bmeeks

@BBcan17:

I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?

This was an old bug that I slayed (or thought I did).  Might have "regressed some code by accident".  Let me see if I can reproduce.  If the bug is back, I will fix it in the next update that is in the works.

@BBcan17:

A suggestion for the new snort Update.

In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.

Would be nice to add the "!" Internal DNS button in snort also.

I will look into doing this.  I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

Bill

BBcan177

Thanks Bill.

I agree having a smaller popup window for dnsstuff would be great.

Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?

Keep up the great work.

BBcan177

@bmeeks:

I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?

bmeeks

@BBcan17:

@bmeeks:

I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?

Not sure.  I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.

Bill

bmeeks

@BBcan17:

Thanks Bill.

Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?

Keep up the great work.

I like this idea.  Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though.  Still it would be a neat option.

UPDATE – see my post further down below.  I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
Bill

digdug3

I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D

bmeeks

@digdug3:

I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D

Great news indeed (on the blocks staying in place)!  I have a Snort update pretty much ready to go.  It will bump the binary to 2.9.5.6.  I am also adding two new GUI features and enhancing another one a bit.  The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs.  One of the two new features is complete management of all the rules now, including decoder and preprocessor rules.  You can selectively enable/disable these just like the other text rules.  The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.

Bill

BBcan177

That's Great news. Can't wait to test it out.

digdug3

@bmeeks:

@digdug3:

I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D

Great news indeed (on the blocks staying in place)!  I have a Snort update pretty much ready to go.  It will bump the binary to 2.9.5.6.  I am also adding two new GUI features and enhancing another one a bit.  The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs.  One of the two new features is complete management of all the rules now, including decoder and preprocessor rules.  You can selectively enable/disable these just like the other text rules.  The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.

Bill

Great will test it as soon as possible.
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

BBcan177

I see a new snort package in the repo but its listed as

Snort 2.9.5.5 pkg v3.0.3

I thought it was suppose to be 2.9.5.6?

fragged

@digdug3:

Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.

fragged

@BBcan17:

I see a new snort package in the repo but its listed as

Snort 2.9.5.5 pkg v3.0.3

I thought it was suppose to be 2.9.5.6?

The bumped version contains fix:

https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087

That fixes a security flaw:

http://seclists.org/fulldisclosure/2014/Jan/187

bmeeks

@fragged:

@BBcan17:

I see a new snort package in the repo but its listed as

Snort 2.9.5.5 pkg v3.0.3

I thought it was suppose to be 2.9.5.6?

The bumped version contains fix:

https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087

That fixes a security flaw:

http://seclists.org/fulldisclosure/2014/Jan/187

Yep, I will just bump the 2.9.5.6 package to 3.0.4 when it is published.

Bill

BBcan177

I have looked at the following:  http://seclists.org/fulldisclosure/2014/Jan/187

Are there any issues to skip this update and wait for the 3.0.3 release?

bmeeks

@BBcan17:

I have looked at the following:  http://seclists.org/fulldisclosure/2014/Jan/187

Are there any issues to skip this update and wait for the 3.0.3 release?

No, the 3.0.3 just pushed is exactly the same as the current 3.0.2 except for one changed file.  I did find one other similar vulnerability in a different file that I will fix in 3.0.4.

Bill

ccb056

Quick note on 3.0.3:

In the Snort services page it still displays 3.0.2 in the header

digdug3

@fragged:

@digdug3:

Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.

Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them.

bmeeks

@ccb056:

Quick note on 3.0.3:

In the Snort services page it still displays 3.0.2 in the header

The Core Team member that posted the security hotfix update did not change a location in the snort.inc file where the package version variable is set for display.  This will all get cleared up in the v3.0.4 package currently under review.  If you want to fix it now, just manually edit the file**/usr/local/pkg/snort/snort.inc**.  Near the top of the file you will see the version being set into a variable.  Just change that value to 3.0.3 and you're set.

Bill

BBcan177

Thanks Bill, I noticed that issue with the version number also.

Did you get a chance to see this link

https://forum.pfsense.org/index.php/topic,63418.0.html

I think that would be a fantastic addition to Snort? But I wouldnt want to see email alerts for certain sids.

bmeeks

@digdug3:

@fragged:

@digdug3:

Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.

Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them.

Probably not a bad idea to merge them.  I will investigate that for a future release of Snort.  The Snort Dashboard widget hides itself now because back some time ago it was crashing the GUI when the package was removed, because it did not clean up behind itself in the dashboard widget configuration.  I think I am remembering that correctly.  The quick fix was to "hide" the widget any time it was un-installed or re-installed.  I will look and see if there is a better way to persist the widget's state (visible or hidden) across uninstall/reinstall cycles without breaking the Dashboard GUI.

Bill