Snort update coming soon – please read about an important change!
-
An update for Snort to version 2.9.6.0 of the binary and version 3.0.5 of the GUI package is currently being reviewed by the pfSense Core Team developers. It is not posted yet for download! Only after it is approved and merged will the update show under Installed Packages.
Here is a link to the Pull Request on GitHub describing the changes in the update: https://github.com/pfsense/pfsense-packages/pull/635
One important change in this upcoming version is the renaming of the WHITELISTS tab to PASS LISTS. This was done to avoid confusion with the new whitelist files used with the Snort IP Reputation preprocessor that is included in the update. The function of a PASS LIST is the same as the old WHITELIST: namely it contains a list of IP addresses that Snort will never block no matter what. It will inspect all the traffic to and from IP addresses on a PASS LIST, and if bad traffic is detected an alert will be generated, but no block will ever be inserted for IP addresses an a PASS LIST assigned to an interface. All of the old options are still there for PASS LISTS just like for the old WHITELISTS. Any existing lists you had are still there and will still work. The name of the tab is really all that is different. You create a PASS LIST on the PASS LISTS tab, and then you go to the Interface Settings tab for the interface you want to use that Pass List and assign it. This is the same way it works in the current version.
You may also want to acquaint yourself with the features and capabilities of the IP Reputation preprocessor in Snort. Here is a link to the official Snort documentation: http://manual.snort.org/node17.html#SECTION003219000000000000000
Barnyard2 output options in this new version will also match up with the options in the new Suricata package. Namely you will be able to choose syslog, Bro, and/or MySQL DB outputs. During the package installation process any existing Barnyard2 MySQL settings will be migrated to a new internal format.
Bill
-
Have you had a change to "fix" the Barnyard2 system log output? It's currently posting a lot of noise to the system log every time the service is started or stopped.
-
Have you had a change to "fix" the Barnyard2 system log output? It's currently posting a lot of noise to the system log every time the service is started or stopped.
I looked at that, but there is no way to completely shut it up without some changes to the Barnyard2 source code. The Snort package is already using the "-q" switch for "quiet".
Bill
-
With the addition of the "IP Rep Processor", the Alerts Tab is going to get a little busier. Would you consider splitting the alerts tab into two tabs to help view the alerts easier?
I had suggest in the past a tab for Scans, CINS, DROP, Compromised, separate from the other alerts.
Just a suggestion.
Also, the IP rep processor has a "Monitor" class. Will you be making use of this option also? This would allow any ip addresses in a Monitor List to be alerted when Snort detects that traffic but will just show the Alert as "Monitor" without blocking it.
-
@BBcan17:
With the addition of the "IP Rep Processor", the Alerts Tab is going to get a little busier. Would you consider splitting the alerts tab into two tabs to help view the alerts easier?
I had suggest in the past a tab for Scans, CINS, DROP, Compromised, separate from the other alerts.
Just a suggestion.
Unfortunately there is room for only so many tabs in the current pfSense interface. It would be possible to offer some filtering on the ALERTS tab maybe.
@BBcan17:
Also, the IP rep processor has a "Monitor" class. Will you be making use of this option also? This would allow any ip addresses in a Monitor List to be alerted when Snort detects that traffic but will just show the Alert as "Monitor" without blocking it.
The way the Spoink blocking plugin works for now, any "alert" results in a block (excepting of course IPs that are on a Pass List – to use the new term for the old whitelists tab). To implement a true "Monitor" mode might require a tweak to the Snort binary code (meaning the Spoink plugin). I can look at that for a future update. My focus now that the 2.9.6.0 package is out for review is working full time getting blocking mode working in the new Suricata package.
Bill
-
Thanks for the update again bmeeks!
My focus now that the 2.9.6.0 package is out for review is working full time getting blocking mode working in the new Suricata package.
This is also great news!
-
Bill
I tried the update this morning. It uninstalled, then when it goes to install it cant find the file on the pfsense servers apparently and halts the install.
Now I am running without snort atm.. Not sure if I need to give it more time to appear properly or if there was an issue with the upload. If this isnt fixed.. any way to get snort back on the box?Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ... could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for snort-2.9.6.0-amd64...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... done.
Failed to install package.Installation halted.
-
Not all of the pull requests have been accepted yet if I'm looking at this correctly: https://github.com/pfsense/pfsense-packages/pulls
Anyways, you should try again in an hour or so. I'm not 100% sure, but it could be that the binaries are still being built or something. Ermal merged bmeek's pull request 30 minutes ago.
-
I figured something was up.. thats why i get for jumping on the bandwagon too quickly.. I usually wait a bit.. but seen the update on the dashboard and decided to update it.
Thanks for the reply.. will try again in a bit as its still failing atm.
-
With Snort package binary version updates I would probably wait until bmeek's has a post up for the new version on this forum section. :)
There's still a lot of room for improvement with the pfSense package system as it now just checks for the version number and there's no guarantee that all the files have been compiled and are in place in the repository.
-
Hello,
when will snort be available? I can´t find anything telling when it will be installable.
thanx
-
same issue like kilthro,installer can't find snort-2.9.6.0-amd64.pbi file on the path,files is missed
-
Hey all,
i've got the same error as kilthro
Beginning package installation for snort . Downloading package configuration file... done. Saving updated package information... done. Downloading snort and its dependencies... Checking for package installation... Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ... could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi. of snort-2.9.6.0-amd64 failed! Installation aborted.Removing package... Starting package deletion for snort-2.9.6.0-amd64...done. Removing snort components... Menu items... done. Services... done. Loading package instructions... Include file snort.inc could not be found for inclusion. Deinstall commands... Not executing custom deinstall hook because an include is missing. Removing package instructions...done. Auxiliary files... done. Package XML... done. Configuration... done. done. Failed to install package. Installation halted.
Can u say me something about it ?
Maybe you can fix this with uploading the file(s)
-
Hi guys!
Same problem here.. take a look at line 6 a double slash in url?! …4/8/All//snort-2.9.6.0-...
Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi … could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!Installation aborted.Backing up libraries…
Removing package...
Starting package deletion for snort-2.9.6.0-amd64...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... done.
Failed to install package.Installation halted.
Thanks for your help...
-
It downloads just fine here, double-slash or not.
-
It downloads just fine here, double-slash or not.
How ?
If I look in the folder "http(s)://files.pfsense.org/packages/amd64/8/All/" i cannot find any file named "snort-2.9.6.0-amd64.pbi".
So how can u download it ?
-
Is it possible to roll back the current packages list until the new package is up so that there aren't 12 dozen posts stating the download failed.
-
Hello,
sorry for disturbing, but there is no package available for download:
Look here: https://files.pfsense.org/packages/amd64/8/All/
Is there the read-acces to everyone set or not?
-
I thing the file is not uploaded yet.. i cant see it..
-
How ?
So how can u download it ?I just clicked the links in this post… It downloaded. Double-slash or not.
SHA1:
39d45298585c32b79368d3ead1188326aeb6e961 *snort-2.9.6.0-amd64.pbi