Snort update coming soon – please read about an important change!
-
An update for Snort to version 2.9.6.0 of the binary and version 3.0.5 of the GUI package is currently being reviewed by the pfSense Core Team developers. It is not posted yet for download! Only after it is approved and merged will the update show under Installed Packages.
Here is a link to the Pull Request on GitHub describing the changes in the update: https://github.com/pfsense/pfsense-packages/pull/635
One important change in this upcoming version is the renaming of the WHITELISTS tab to PASS LISTS. This was done to avoid confusion with the new whitelist files used with the Snort IP Reputation preprocessor that is included in the update. The function of a PASS LIST is the same as the old WHITELIST: namely it contains a list of IP addresses that Snort will never block no matter what. It will inspect all the traffic to and from IP addresses on a PASS LIST, and if bad traffic is detected an alert will be generated, but no block will ever be inserted for IP addresses an a PASS LIST assigned to an interface. All of the old options are still there for PASS LISTS just like for the old WHITELISTS. Any existing lists you had are still there and will still work. The name of the tab is really all that is different. You create a PASS LIST on the PASS LISTS tab, and then you go to the Interface Settings tab for the interface you want to use that Pass List and assign it. This is the same way it works in the current version.
You may also want to acquaint yourself with the features and capabilities of the IP Reputation preprocessor in Snort. Here is a link to the official Snort documentation: http://manual.snort.org/node17.html#SECTION003219000000000000000
Barnyard2 output options in this new version will also match up with the options in the new Suricata package. Namely you will be able to choose syslog, Bro, and/or MySQL DB outputs. During the package installation process any existing Barnyard2 MySQL settings will be migrated to a new internal format.
Bill
-
Have you had a change to "fix" the Barnyard2 system log output? It's currently posting a lot of noise to the system log every time the service is started or stopped.
-
Have you had a change to "fix" the Barnyard2 system log output? It's currently posting a lot of noise to the system log every time the service is started or stopped.
I looked at that, but there is no way to completely shut it up without some changes to the Barnyard2 source code. The Snort package is already using the "-q" switch for "quiet".
Bill
-
With the addition of the "IP Rep Processor", the Alerts Tab is going to get a little busier. Would you consider splitting the alerts tab into two tabs to help view the alerts easier?
I had suggest in the past a tab for Scans, CINS, DROP, Compromised, separate from the other alerts.
Just a suggestion.
Also, the IP rep processor has a "Monitor" class. Will you be making use of this option also? This would allow any ip addresses in a Monitor List to be alerted when Snort detects that traffic but will just show the Alert as "Monitor" without blocking it.
-
@BBcan17:
With the addition of the "IP Rep Processor", the Alerts Tab is going to get a little busier. Would you consider splitting the alerts tab into two tabs to help view the alerts easier?
I had suggest in the past a tab for Scans, CINS, DROP, Compromised, separate from the other alerts.
Just a suggestion.
Unfortunately there is room for only so many tabs in the current pfSense interface. It would be possible to offer some filtering on the ALERTS tab maybe.
@BBcan17:
Also, the IP rep processor has a "Monitor" class. Will you be making use of this option also? This would allow any ip addresses in a Monitor List to be alerted when Snort detects that traffic but will just show the Alert as "Monitor" without blocking it.
The way the Spoink blocking plugin works for now, any "alert" results in a block (excepting of course IPs that are on a Pass List – to use the new term for the old whitelists tab). To implement a true "Monitor" mode might require a tweak to the Snort binary code (meaning the Spoink plugin). I can look at that for a future update. My focus now that the 2.9.6.0 package is out for review is working full time getting blocking mode working in the new Suricata package.
Bill
-
Thanks for the update again bmeeks!
My focus now that the 2.9.6.0 package is out for review is working full time getting blocking mode working in the new Suricata package.
This is also great news!
-
Bill
I tried the update this morning. It uninstalled, then when it goes to install it cant find the file on the pfsense servers apparently and halts the install.
Now I am running without snort atm.. Not sure if I need to give it more time to appear properly or if there was an issue with the upload. If this isnt fixed.. any way to get snort back on the box?Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ... could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for snort-2.9.6.0-amd64...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... done.
Failed to install package.Installation halted.
-
Not all of the pull requests have been accepted yet if I'm looking at this correctly: https://github.com/pfsense/pfsense-packages/pulls
Anyways, you should try again in an hour or so. I'm not 100% sure, but it could be that the binaries are still being built or something. Ermal merged bmeek's pull request 30 minutes ago.
-
I figured something was up.. thats why i get for jumping on the bandwagon too quickly.. I usually wait a bit.. but seen the update on the dashboard and decided to update it.
Thanks for the reply.. will try again in a bit as its still failing atm.
-
With Snort package binary version updates I would probably wait until bmeek's has a post up for the new version on this forum section. :)
There's still a lot of room for improvement with the pfSense package system as it now just checks for the version number and there's no guarantee that all the files have been compiled and are in place in the repository.
-
Hello,
when will snort be available? I can´t find anything telling when it will be installable.
thanx
-
same issue like kilthro,installer can't find snort-2.9.6.0-amd64.pbi file on the path,files is missed
-
Hey all,
i've got the same error as kilthro
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ... could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi. of snort-2.9.6.0-amd64 failed! Installation aborted.Removing package... Starting package deletion for snort-2.9.6.0-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Include file snort.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.
Can u say me something about it ?
Maybe you can fix this with uploading the file(s)
-
Hi guys!
Same problem here.. take a look at line 6 a double slash in url?! …4/8/All//snort-2.9.6.0-...
Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi … could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!Installation aborted.Backing up libraries…
Removing package...
Starting package deletion for snort-2.9.6.0-amd64...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... done.
Failed to install package.Installation halted.
Thanks for your help...
-
It downloads just fine here, double-slash or not.
-
It downloads just fine here, double-slash or not.
How ?
If I look in the folder "http(s)://files.pfsense.org/packages/amd64/8/All/" i cannot find any file named "snort-2.9.6.0-amd64.pbi".
So how can u download it ?
-
Is it possible to roll back the current packages list until the new package is up so that there aren't 12 dozen posts stating the download failed.
-
Hello,
sorry for disturbing, but there is no package available for download:
Look here: https://files.pfsense.org/packages/amd64/8/All/
Is there the read-acces to everyone set or not?
-
I thing the file is not uploaded yet.. i cant see it..
-
How ?
So how can u download it ?I just clicked the links in this post… It downloaded. Double-slash or not.
SHA1:
39d45298585c32b79368d3ead1188326aeb6e961 *snort-2.9.6.0-amd64.pbi
-
lol? there is something strange…
-
I thing the file is not uploaded yet.. i cant see it..
The same here. Indeed, it looks like file hasn't been uploaded yet:
-
-
The vast majority of us still cannot see the package uploaded. Maybe a read permission issue? Or a rsync hiccup?
Regards,
Luigi
-
Yeah.. I'm not seeing that file there :)
Maybe it's an issue with some of the mirrors?
-
$ host files.pfsense.org files.pfsense.org has address 208.123.73.81 files.pfsense.org has IPv6 address 2610:1c0:1:25::57
-
Still nothing here, even browsing at the I.P. address you pointed out… :(
$ host files.pfsense.org files.pfsense.org has address 208.123.73.81 files.pfsense.org has IPv6 address 2610:1c0:1:25::57
-
$ host files.pfsense.org files.pfsense.org has address 208.123.73.81 files.pfsense.org has IPv6 address 2610:1c0:1:25::57
definitly not there or we cant see it
-
I just checked for the i386 package that I need. On the IPv6 site it is available but NOT on the IPv4 site (yet I hope).
-
The strange thing is that if I click the links here at the office, the file downloads. If I access from home via my pc or pfsense it cant be found. Tested via ipad from a wifi hotspot and it failed… so not sure why the links work here at the office. If I browse the directory I can see it from here as well. Try that from home or from ipad do not see it at all..
-
The strange thing is that if I click the links here at the office, the file downloads. If I access from home via my pc or pfsense it cant be found.
As said above, it only works over IPv6.
-
The strange thing is that if I click the links here at the office, the file downloads. If I access from home via my pc or pfsense it cant be found.
As said above, it only works over IPv6.
Ahh missed that.. guess thats it then.. guess i need to dload the file here upload to the firewall at other location then install it via command line…
-
Hello,
and what about this message trying to get the packeage via browser?
404 Not Found
files.pfsense.org has address 208.123.73.81
files.pfsense.org has IPv6 address 2610:1c0:1:25::57I guess on your Webserver the content for ipv4 is not set correctly or the rights are different. Is the folder the same on your webserver for ipv4 and ipv6?
:(
-
Well I noticed the new snort package is ready to download. I gave it a shot and noticed 2 things:
1: It wont allow me to have 2 sensors using the same interface anymore. I've had 2 WAN Sensors (1 for blocking and another for testing/alerting new rules)
2: My WAN interface wont start:Apr 8 09:10:30 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 60770 -D -q -l /var/log/snort/snort_em360770 --pid-path /var/run --nolock-pidfile -G 60770 -c /usr/pbi/snort-i386/etc/snort/snort_60770_em3/snort.conf -i em3' returned exit code '1', the output was '' Apr 8 09:10:30 snort[34127]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_60770_em3/rules/snort.rules(7703) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o
Before upgrade I did an uninstall then removed every snort reference on the filesystem, "find /* | grep -i snort | xargs rm -rv"
-
The strange thing is that if I click the links here at the office, the file downloads. If I access from home via my pc or pfsense it cant be found.
As said above, it only works over IPv6.
What about the folks without ipv6?
-
IPv4 here and still waiting to see the package here: http://files.pfsense.org/packages/8/All/
Any news??? :( -
@/CS:
Any news??? :(
Any news would need to come from the developers/people with access to the HW. Frankly, pretty much everything that could go wrong did go wrong with all those migrations, even the 2.1.1 release got messed up. Dunno what's up with the guys lately. :(
-
Bill is also away on Holidays so don't expect a reply from him until he's back.
Hopefully someone at ESF fixes the issue.:o Insanity is doing the same thing over and over expecting different results! :o
-
Someone needs to fix this stat! I didn't even know that 2.9.6.0 v3.0.5 was brand new. I don't check my packages for updates very often. I updated and now have no Snort. How can I revert to 2.9.5.6 v3.0.4?
-
Someone needs to fix this stat! I didn't even know that 2.9.6.0 v3.0.5 was brand new. I don't check my packages for updates very often. I updated and now have no Snort. How can I revert to 2.9.5.6 v3.0.4?
You can't unless you have a local backup of it.