Snort package v3.2.9.1_14 Update – Release Notes



  • Snort is back!  This updates the Snort GUI package to support the new 2.9.8.3 binary and the corresponding 2.9.8.3 VRT rules.

    New Features
    1. Option added on GLOBAL SETTINGS tab to allow disabling the SSL Peer Verify function when downloading rule updates. This will help users utilizing self-signed certs on proxies. The new feature defaults to "off" (which is the old behavior).  If you are having SSL certificate problems during rule updates, try checking (enabling) this new option.

    2. For better international support, the display of the date for alerts was changed to the ISO-8601 format of YYYY-mm-dd on the ALERTS and BLOCKED tabs.

    Bug Fixes
    1. Sensitive Data alert data types are saving correctly, but selected alert types are not marked as "selected" in drop-down on PREPROCESSORS tab.

    2. On SUPPRESS tab, when editing a suppression list line wrapping should be disabled.

    When editing a suppression list on the SUPPRESS tab, you can use the little handle in the lower right-hand corner of the control window to expand the control horizontally to make it wider (so as to make the horizontal scrollbar disappear).

    Bill



  • Hi,

    Sounds great, many many thanks!

    But I still see no update available.

    I'm running pfSense on pfSense/Netgate hardware and have Snort paid subscription.

    Should I just wait or consider reinstalling the package? Currenty since EOL I have been running Snort with ET and free community rules as a fallback option.



  • Really nice, thanks for your work.  Update installed correctly after I figured out how to do it (was in Installed Packages).  First time I have seen anything in Snort VRT Rules.  I am adding all the install diagnostics below.

    Installed Rule Set MD5 Signature
    Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
    """Snort VRT Rules 533a35c27d0f9e6b3c5d2bcfee881d36 Thursday, 07-Jul-16 16:53:56 CDT"""
    Snort GPLv2 Community Rules 24d67c23e8463a05f98791c165064b66 Thursday, 07-Jul-16 16:53:58 CDT
    Emerging Threats Open Rules f9945b8d845222b374598f0e7fb1e621 Thursday, 07-Jul-16 16:54:02 CDT
    Snort OpenAppID Detectors 5ffa8d252cb15ccd52f1a25c41f00049 Thursday, 07-Jul-16 16:53:56 CDT

    Upgrading pfSense-pkg-snort…
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    The following 2 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
    pfSense-pkg-snort: 3.2.9.1_13 -> 3.2.9.1_14 [pfSense]
    snort: 2.9.8.0_1 -> 2.9.8.3 [pfSense]

    The process will require 2 MiB more space.
    1 MiB to be downloaded.
    Fetching pfSense-pkg-snort-3.2.9.1_14.txz: …....... done
    Fetching snort-2.9.8.3.txz: .......... done
    Checking integrity... done (0 conflicting)
    [1/2] Upgrading snort from 2.9.8.0_1 to 2.9.8.3…
    [1/2] Extracting snort-2.9.8.3: …....... done
    [2/2] Upgrading pfSense-pkg-snort from 3.2.9.1_13 to 3.2.9.1_14…
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    [2/2] Extracting pfSense-pkg-snort-3.2.9.1_14: …....... done
    Saving updated package information...
    overwrite!
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2983.tar.gz... done.
    Downloading Snort OpenAppID detectors md5 file... done.
    Checking Snort OpenAppID detectors md5 file... done.
    There is a new set of Snort OpenAppID detectors posted.
    Downloading snort-openappid.tar.gz... done.
    Downloading Snort GPLv2 Community Rules md5 file... done.
    Checking Snort GPLv2 Community Rules md5 file... done.
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading community-rules.tar.gz... done.
    Downloading Emerging Threats Open rules md5 file... done.
    Checking Emerging Threats Open rules md5 file... done.
    There is a new set of Emerging Threats Open rules posted.
    Downloading emerging.rules.tar.gz... done.
    Installing Sourcefire VRT rules...Copying md5 signature to snort directory... done.
    Installing Snort OpenAppID detectors...Copying md5 signature to snort directory... done.
    Installing Snort GPLv2 Community Rules... done.
    Installing Emerging Threats Open rules...Copying md5 signature to snort directory... done.
    Updating rules configuration for: WAN ... done.
    Cleaning up temp dirs and files... done.
    The Rules update has finished.
    Generating snort.conf configuration file from saved settings.
    Generating configuration for WAN...
    done.
    Generating snort.sh script in /usr/local/etc/rc.d/... done.
    Finished rebuilding Snort configuration files.
    done.
    Executing custom_php_resync_config_command()...
    done.
    Menu items... done.
    Services... done.
    Writing configuration... done.
    Please visit Services - Snort - Interfaces tab first and select your desired rules. Afterwards visit the Updates tab to download your configured rulesets.Message from snort-2.9.8.3:

    Snort uses rcNG startup script and must be enabled via /etc/rc.conf
    Please see /usr/local/etc/rc.d/snort
    for list of available variables and their description.
    Configuration files are located in /usr/local/etc/snort directory.

    Please note that, by default, snort will truncate packets larger than the
    default snaplen of 15158 bytes.  Additionally, LRO may cause issues with
    Stream5 target-based reassembly.  It is recommended to disable LRO, if
    your card supports it.

    This can be done by appending '-lro' to your ifconfig_ line in rc.conf.

    Message from pfSense-pkg-snort-3.2.9.1_14:
    Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets.

    Cleaning up cache... done.
    Success



  • @dread:

    Hi,

    Sounds great, many many thanks!

    But I still see no update available.

    I'm running pfSense on pfSense/Netgate hardware and have Snort paid subscription.

    Should I just wait or consider reinstalling the package? Currenty since EOL I have been running Snort with ET and free community rules as a fallback option.

    The Netgate devices have their own packages repository in order to optimize performance on that hardware – at least they used to have their own separate repository.  The Snort package update probably has not been migrated over there yet.  You can contact Netgate support directly and ask them about it.

    Bill



  • Thanks a lot for your advice.

    So I send an e-mail to Voleatech, Germany, they said that the update is not in the official update catalogue yet, and promised to look the issue.

    Very soon I got an another email that the issue will be resolved soon.

    And now the latest package is available, and I just upgraded. Everything is working well now.

    Many thanks!


Log in to reply