Snort 2.9.7.5

simby · Jul 26, 2015, 7:51 AM

Are we ready to upgrade to Snort 2.9.7.5? 8)

2015-07-01 Carter Waxman cwaxman@cisco.comSnort 2.9.7.5
* src/build.h:
updating build number to 262

* src/preprocessors/Stream6/snort_stream_tcp.c:
Improved handling of asymmetric traffic

* src/active.c:
Active responses no longer set the FIN flag on the last segment
transmitted

* src/dynamic-preprocessors/appid/luaDetectorApi.c:
Added sanity checks to client api

* doc/snort_manual.pdf,
src/: dynamic-preprocessors/dcerpc2/dce2_paf.c,
dynamic-preprocessors/dnp3/dnp3_paf.c,
dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
dynamic-preprocessors/imap/imap_paf.c,
dynamic-preprocessors/pop/pop_paf.c,
dynamic-preprocessors/sip/sip_paf.c,
dynamic-preprocessors/smtp/smtp_paf.c,
preprocessors/session_api.h, preprocessors/spp_stream6.c,
preprocessors/stream_api.h,
preprocessors/HttpInspect/utils/hi_paf.c,
preprocessors/Session/session_common.h,
preprocessors/Stream6/snort_stream_tcp.c,
preprocessors/Stream6/snort_stream_tcp.h,
preprocessors/Stream6/stream_paf.c,
preprocessors/Stream6/stream_paf.h:
Multiple PAF clients can Read/Write to the same user data

* src/: file-process/file_api.h, file-process/file_mail_common.h,
file-process/file_mime_process.c,
sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h:
Fixed filename parsing from Mime body for UUencoded MIME

* src/preprocessors/perf-base.c,
src/preprocessors/Stream6/snort_stream_tcp.c:
Prunes triggered by timeouts are now accounted by perfmonitor.

* src/preprocessors/spp_session.c:
Log warning instead of Fatal Error
if a stream5_global config is in a non-default policy

* src/detection-plugins/sp_base64_decode.c:
Removed unused checks

* src/snort.c:
Improved reliability of configuration reloads

* src/preprocessors/snort_httpinspect.c:
Fixed issue in http
file processing where SHAs may not always be correct.

* doc/snort_manual.pdf,
src/sfutil/sf_email_attach_decode.c:
Fixed handling new line chars in QP encoding

* src/preprocessors/snort_httpinspect.c:
Fixed inconsistent behavior when configuring "max_gzip_mem -1"/cwaxman@cisco.com

bmeeks · Jul 26, 2015, 12:10 PM

Working on it now. Should be posting a Pull Request to pfsense-tools in a few days. I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

simby · Jul 26, 2015, 1:48 PM

@bmeeks:

Working on it now. Should be posting a Pull Request to pfsense-tools in a few days. I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

thanks,…

can you add a counter for all enabled rules in Snort om first page? :)

bmeeks · Jul 26, 2015, 6:21 PM

@simby:

thanks,…

can you add a counter for all enabled rules in Snort om first page? :)

Do you mean on the package home page (the one showing the list of configured Snort interfaces), or are you talking about somewhere on one of the interface-specific tabs?

Bill

simby · Jul 26, 2015, 6:28 PM

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

bmeeks · Jul 27, 2015, 1:20 AM

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK. Will see what I can do. Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

pfcode · Jul 27, 2015, 3:24 AM

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK. Will see what I can do. Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

What/Where is the new full screen theme?

simby · Jul 27, 2015, 9:51 AM

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK. Will see what I can do. Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

Under interface , maybe: LAN 37125 rules enabled of all 43777

bmeeks · Jul 27, 2015, 11:55 AM

@pfcode:

What/Where is the new full screen theme?

It's under System > General Setup. Select the pfsense_ng_fs theme.

Bill

simby · Aug 5, 2015, 5:05 AM

@bmeeks:

Working on it now. Should be posting a Pull Request to pfsense-tools in a few days. I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

Any news? :-)

bmeeks · Aug 5, 2015, 3:42 PM

@simby:

Any news? :-)

Still working. A family illness issue has delayed my progress for a bit. The changes in 2.9.7.5 from upstream are pretty minor, so I don't think there is a huge impact in delaying introducing them in the pfSense port. The new feature I'm adding will be a big help, though, so I think it's worth holding up the 2.9.7.5 update while I finish integrating the new feature. The new feature uses multithreading to continuously watch the firewall interfaces for IP address changes and then immediately updates an internal PASS LIST to prevent errant blocking of say the WAN IP for folks with dynamic WAN IP addresses. I have a proof-of-concept working for this feature and just need to finish up the production code.

The next logical step, assuming the new feature works as intended in widespread production, is to expand the multithreading idea and support FQDN aliases in the PASS LIST. That is my goal, but that part is not started yet.

Bill

simby · Aug 20, 2015, 12:37 PM

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK. Will see what I can do. Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

Bmeeks, will be this in this release?

bmeeks · Aug 23, 2015, 11:06 PM

@simby:

Bmeeks, will be this in this release?

It's not in the currently open Pull Request.

Bill