A fairly annoying Snort bug, and some UI suggestions



  • I've been testing out pfSense over the past week, and it's great! Here is my mini summary of what I found.

    Basically it's great, but the Snort integration is causing me some headaches.

    The first problem is that Snort becomes deactivated on my WAN interface after a rule update. I have to go to /snort/snort_interfaces.php each time and click the start button to make it start again.

    The log shows that the START is never run:

    Sep 13 07:35:09 snort 17803 Could not remove pid file /var/run/snort_igb136300.pid: No such file or directory
    Sep 13 07:34:33 SnortStartup 92350 Snort START for LAN(39410_igb0)…
    Sep 13 07:34:29 SnortStartup 90234 Snort STOP for LAN(39410_igb0)...
    Sep 13 07:33:56 SnortStartup 18393 Snort STOP for WAN(36300_igb1)...

    The first UI suggestion is to make handling disabled rules quicker.
    Say you have a user who cannot browse a website because of a rule, e.g. 119:7 (http_inspect) IIS UNICODE CODEPOINT ENCODING, and so you want to disable that rule. You click the red X "force-disable rule and remove from current rule set". That will only affect future new blocks, it won't affect existing blocks added because of that rule. Manually removing each instance of that rule from the block list is a bit tedious, so the suggestion would be to filter the blocked tab or to provide the functionality to also remove all matches on the disabled rule from the blocked tab too.

    The second UI suggestion is to make mass disabling rules a bit quicker. A way to select multiple rules at a time. Maybe a checkbox?

    The third UI suggestion is to be able to hide suppressed items from the alerts and from the blocked tabs.

    Thanks! I really like pfSense.