Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes

bmeeks

@BBcan17:

I have looked at the following:  http://seclists.org/fulldisclosure/2014/Jan/187

Are there any issues to skip this update and wait for the 3.0.3 release?

No, the 3.0.3 just pushed is exactly the same as the current 3.0.2 except for one changed file.  I did find one other similar vulnerability in a different file that I will fix in 3.0.4.

Bill

ccb056

Quick note on 3.0.3:

In the Snort services page it still displays 3.0.2 in the header

digdug3

@fragged:

@digdug3:

Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.

Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them.

bmeeks

@ccb056:

Quick note on 3.0.3:

In the Snort services page it still displays 3.0.2 in the header

The Core Team member that posted the security hotfix update did not change a location in the snort.inc file where the package version variable is set for display.  This will all get cleared up in the v3.0.4 package currently under review.  If you want to fix it now, just manually edit the file**/usr/local/pkg/snort/snort.inc**.  Near the top of the file you will see the version being set into a variable.  Just change that value to 3.0.3 and you're set.

Bill

BBcan177

Thanks Bill, I noticed that issue with the version number also.

Did you get a chance to see this link

https://forum.pfsense.org/index.php/topic,63418.0.html

I think that would be a fantastic addition to Snort? But I wouldnt want to see email alerts for certain sids.

bmeeks

@digdug3:

@fragged:

@digdug3:

Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.

That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.

Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them.

Probably not a bad idea to merge them.  I will investigate that for a future release of Snort.  The Snort Dashboard widget hides itself now because back some time ago it was crashing the GUI when the package was removed, because it did not clean up behind itself in the dashboard widget configuration.  I think I am remembering that correctly.  The quick fix was to "hide" the widget any time it was un-installed or re-installed.  I will look and see if there is a better way to persist the widget's state (visible or hidden) across uninstall/reinstall cycles without breaking the Dashboard GUI.

Bill

bmeeks

@BBcan17:

Thanks Bill, I noticed that issue with the version number also.

Did you get a chance to see this link

https://forum.pfsense.org/index.php/topic,63418.0.html

I think that would be a fantastic addition to Snort? But I wouldn't want to see email alerts for certain sids.

Yeah, I read through that.  This is something that really can only be done by a cron job of some sort that periodically scans the alert log.  See, all the Snort GUI code stuff dies and is not running the instant you leave the web page and go to a non-Snort page.  All of the inspection and blocking is performed by the same old Snort binary daemon that folks install on any non-pfSense machine.  So what I mean here is the GUI code that folks think of as "Snort" is nothing but a configuration front-end.  To have Snort automatically send e-mail alerts in near real-time would require modifying the source code of the binary daemon itself.  That would add overhead and steal CPU cycles that would probably be better served analyzing traffic.

It's better in my view to have a third-party tool called by a cron job (similar to the one in the linked thread) that does the log scanning and e-mailing.  That way the Snort daemon can stay busy doing what it is designed to do- scan incoming and outgoing traffic.  I would suggest someone modifying the code mentioned in the linked thread so that it can scan a number of different logs and send notifications as appropriate.  It could scan Snort logs, system logs, squid logs, etc., and filter them for severities and make notifications.

I have my hands full at the moment with Snort updates and trying to get a working Suricata inline IPS package for pfSense.  Perhaps another user would like to take up the challenge?  :)

Bill

fragged

Any news on the next package version? The pull request is already 20 days old? Are there still some issues with getting the binaries to build for all pfSense versions?

bmeeks

@fragged:

Any news on the next package version? The pull request is already 20 days old? Are there still some issues with getting the binaries to build for all pfSense versions?

The old 2.0.x binary packages are now building fine.  I sent an e-mail yesterday to the Core Team asking for a status on the Pull Request review.  I have not heard anything back yet.  I need to get that current open pull request merged so I can submit the Suricata Beta package pull request.  Unfortunately you can only have one outstanding pull request at the time on GitHub from a forked repository.  So until the Snort request is closed or merged, I can't submit the Suricata one.

Bill

BBcan177

@bmeeks:

I sent an e-mail yesterday to the Core Team asking for a status on the Pull Request review.  I have not heard anything back yet.  I need to get that current open pull request merged so I can submit the Suricata Beta package pull request.  Unfortunately you can only have one outstanding pull request at the time on GitHub from a forked repository.

Bill

Hi Bill, The new snort package is in the Repo now.  Available: 2.9.5.5 pkg v3.0.4

After this installation the Snort Version still shows up as v3.0.2 (Similar issue as before as per one of your previous post.)

I have installed the new package on one of my routers without any issues so far.

Is there a changelog?

Thanks for all your efforts in keeping this package working so well..  :) :) :)

fragged

Bills pull request has still not been accepted. The change you saw was this: https://github.com/pfsense/pfsense-packages/commit/048bb82a0e2c814da90816657ecedf59fedf8dbd

BBcan177

@fragged:

Bills pull request has still not been accepted. The change you saw was this: https://github.com/pfsense/pfsense-packages/commit/048bb82a0e2c814da90816657ecedf59fedf8dbd

Thanks for the update fragged. I thought that security issue on the Web GUI was fixed in the previous release?

It still shows as 3.0.2 after this update.

fragged

@BBcan17:

@fragged:

Bills pull request has still not been accepted. The change you saw was this: https://github.com/pfsense/pfsense-packages/commit/048bb82a0e2c814da90816657ecedf59fedf8dbd

Thanks for the update fragged. I thought that security issue on the Web GUI was fixed in the previous release?

It still shows as 3.0.2 after this update.

I'm not an expert with html/php, but it seems like this is a better fix for the same issue that was already fixed by Ermal before.

fragged

ermal merged 21 commits into pfsense:master from bmeeks8:master about 4 hours ago

Looks like the new changes have been merged, but due to the changes done by Ermal and rbgarga (?) it looks like the package binary version is now incorrect on the System - Packages page. It's something that bill can easily fix though. I'm sure he will post a new thread with the changes and info about the new package version.

bmeeks

@fragged:

@BBcan17:

@fragged:

Bills pull request has still not been accepted. The change you saw was this: https://github.com/pfsense/pfsense-packages/commit/048bb82a0e2c814da90816657ecedf59fedf8dbd

Thanks for the update fragged. I thought that security issue on the Web GUI was fixed in the previous release?

It still shows as 3.0.2 after this update.

I'm not an expert with html/php, but it seems like this is a better fix for the same issue that was already fixed by Ermal before.

Yes, this latest fix is an improvement over the first one.  Some more changes similar to this will be coming in the next Snort update to further harden the GUI code a bit.  It contains a lot of quite old HTML/PHP stuff that I had just left alone since it worked.  However, in today's more security conscious environment, some hardening is needed.

Bill