Snort-3.2.9.14 and Snort-4.1.1 Updates - Release Notes (for pfSense-2.4.5_p1 and pfSense-2.5)
-
Snort v3.2.9.14 (for pfSense-2.4.5_p1)
Snort v4.1.1 (for pfSense-2.5 DEVEL)This update for the Snort GUI package removes support for Barnyard2. As announced earlier this year, the Barnyard2 port is no longer actively maintained in FreeBSD ports. Barnyard2 has runtime dependencies on outdated database client libraries (for example, MySQL 5.7) with unpatched security vulnerabilities. These older database libraries are themselves end-of-life (EOL) and thus will not be patched.
The underlying Snort binary remains at version 2.9.16. To support users that might have other third-party tools capable of ingesting Unified2 binary logs, an option has been added to the INTERFACE SETTINGS tab of Snort to generate a Unified2 binary log. The election to generate the log is disabled by default unless the user already had Barnyard2 enabled. If Barnyard2 is detected as "enabled" during installation of this update, the new option to continue generation of a binary Unified2 log will also be enabled. The GUI makes no use of this log, and if you do not have another third-party tool that you are exporting to in that format, you can safely disable the log's generation.
Installation Instructions:
- To ensure the Barnyard2 binary and its associated EOL database client libraries are removed, it is recommended that you first delete the Snort package from your firewall and then reinstall it. Your existing package settings will be retained as long as the option Keep Snort Settings After Deinstall is checked on the GLOBAL SETTINGS tab as shown below:
Major Functionality Changes:
- Barnyard2 support has been removed and the associated runtime dependency deleted from the package manifest for the Snort package.
-
@bmeeks
I installed the new Snort 3.2.9.14 this morning. All went well with no errors and Barnyard2 is not in any of the drop down menus, but I'm a little confused when I look in the System log it shows that it reinstalled Barnyard2.Just curious, did this change just remove it from the drop down menus but is it still installed in pfSense?
-
@jdeloach said in Snort-3.2.9.14 and Snort-4.1.1 Updates - Release Notes (for pfSense-2.4.5_p1 and pfSense-2.5):
@bmeeks
I installed the new Snort 3.2.9.14 this morning. All went well with no errors and Barnyard2 is not in any of the drop down menus, but I'm a little confused when I look in the System log it shows that it reinstalled Barnyard2.Just curious, did this change just remove it from the drop down menus but is it still installed in pfSense?
Yes, I forgot to turn off a second OPTIONS knob in one of the Poudriere
make.conf
files. That is being taken care of, so the next update will in fact remove Barnyard2. A new package will appear shortly with a small version number bump. -
@jdeloach said in Snort-3.2.9.14 and Snort-4.1.1 Updates - Release Notes (for pfSense-2.4.5_p1 and pfSense-2.5):
@bmeeks
I installed the new Snort 3.2.9.14 this morning. All went well with no errors and Barnyard2 is not in any of the drop down menus, but I'm a little confused when I look in the System log it shows that it reinstalled Barnyard2.Just curious, did this change just remove it from the drop down menus but is it still installed in pfSense?
The new package revision (Snort-3.2.9.14_1) is now posted. This version does in fact leave Barnyard2 and its outdated DB clients uninstalled. To actually remove the existing installations, though, you will need to delete the Snort package and then install it again as the "deletion" step is what will remove the Barnyard2 stuff.
This time, the new package revision will NOT bring the Barnyard2 binary stuff back when Snort is reinstalled.
-