Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Package v3.2.9.5 Update – Release Notes

    IDS/IPS
    2
    9
    694
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeks
      bmeeks last edited by

      Snort v3.2.9.5 – Release Notes

      An update for the Snort package has been posted.  There is both a GUI code update and an underlying binary bug fix.

      IMPORTANT UPGRADE ADVICE
      I strongly suggest that the best way to upgrade the Snort package is to first uninstall it from the Package Manager, and then reinstall it.  You won't lose any settings so long as you have the "Save Settings on Deinstall" checkbox on the GLOBAL SETTINGS tab checked.  It is checked by default.

      New Features

      The ARP Spoofing preprocessor is now exposed in the GUI as a configurable option on the PREPROCESSORS tab. Settings are available for toggling the enabled state of the preprocessor and for enabling detection of unicast ARP requests. A multi-entry table is provided that allows for entry of MAC address-to-IP address pairs to monitor for ARP spoofing incidents. New MAC/IP address pairs can be added to the table and existing MAC/IP pairs can be edited or deleted from the table.

      Bug Fixes

      • Fix display of IPv6 addresses so they wrap correctly when displayed in the SRC IP and DST IP columns on the ALERTS tab.

      • Fix the DOWNLOAD button on the ALERTS and BLOCKS tabs so it works. Also fix the ALERTS download so that it only includes alert logs and not all log files in the directory.

      • Restore the installation of the attribute_table.dtd validation file to the Snort conf directory.

      • Do not show Reverse DNS Lookup and Track-by-IP icons on the ALERTS tab for alert entries that do not contain an IP Header and thus have no IP addresses (usually from alerts generated by the ARP Spoof preprocessor).

      • Improve package uninstall procedure by manually cleaning up files created or altered by the GUI code. The default pkg uninstall code does not remove files modified by others.

      • Remove the shared object rules files when uninstalling the package. This should fix errors during package upgrades when older versions of these files still exist.

      • Add a warning to the OpenAppID rules file download section on the GLOBAL SETTINGS tab about Geo-IP blocking at the volunteer hosting web site. This hosting block may impact users in some countries when they attempt to enable the OpenAppID rules download. (NOTE - this is for the rules only. The OpenAppID detectors are maintained by the Snort VRT and should always download and install. However, the detectors need the rules in order to be fully functional.)

      • Fix deletion of multi-configuration engines for preprocessors that support them such as Frag3, Stream5, HttpInspect, FTP and ARP Spoof.

      • Correct a bug in the custom blocking plugin for the Snort binary. Failure to validate that the IP header information in an alerting packet is valid before attempting to insert the IP addressess into the "snort2c" table could cause Signal 11 faults in the Snort binary. Certain alerts, particularly from the ARP Spoofing detection preprocessor, may not contain valid IP header information. The IP header information is now validated before attempting to insert the addresses into the "snort2c" table. Alert packets with empty or invalid IP header information are now ignored by the blocking plugin since it could not do anything useful with them anyway.

      Bill

      1 Reply Last reply Reply Quote 0
      • M
        maverick_slo last edited by

        Hi and thanks for the update!

        Is this normal?


        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          @maverick_slo:

          Hi and thanks for the update!

          Is this normal?

          Depends on your configuration.  Generally you don't want to enable Unicast ARP detection unless you really need to.  Have you configured MAC address and IP address pairs for the preprocessor to monitor?  Finally, is your firewall a physical box on an actual network, or is it a virtual machine?  That can make a difference in what the preprocessor detects.

          I'm not an expert on the ARP preprocessor.  Never have researched it much.  I added it just so the folks that have a need to use it can configure it in the GUI without having to resort to  the Advanced Pass-Through option.

          Bill

          1 Reply Last reply Reply Quote 0
          • M
            maverick_slo last edited by

            Not entered anything to ip and mac.
            Will disable that option.
            It's physical machine…

            1 Reply Last reply Reply Quote 0
            • M
              maverick_slo last edited by

              I`ve disabled unicast option and log spam stopped.
              Now some tests with arpspoof :)

              1 Reply Last reply Reply Quote 0
              • M
                maverick_slo last edited by

                Well tested it and heh…. no usable info in logs unfortunatley.
                No IPs no MACs just informative things...
                While in system log:
                arp: 10.10.0.3 moved from 00:25:9c:14:66:aa to 00:15:5d:00:e7:bb on em1_vlan10

                I dont know how its supposed to work anyways :)

                1 Reply Last reply Reply Quote 0
                • bmeeks
                  bmeeks last edited by

                  From what I understand about how it works, you must enter MAC address and IP address pairs for it to monitor.  Of course that implies the monitored hosts need static IP addressees.

                  You input these by clicking the green ADD button.  That will open a modal dialog where you input a MAC and IP address.  Save it, then restart Snort to pick up the changes.  You can add several MAC/IP pairs and then restart Snort if you choose.  As you add address pairs, they will appear in the table in that Preprocessor section.  Each new row will also have the little edit and delete icons like other things in the GUI.  The modal dialog uses built-in PHP functions to validate the MAC and IP addresses.  I used dashes ("-") between the values of the MAC address when I tested.  Snort wants colons in its configuration, so the GUI code under the covers will convert dashes to colons in the MAC address field when it creates the Snort configuration file.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo last edited by

                    Ahhh ok.
                    I tought it was smart and it's populating pairs autpmatically and then if mac changed fires an alert. Now that would be cool 😁
                    Thanks for clarification!

                    1 Reply Last reply Reply Quote 0
                    • bmeeks
                      bmeeks last edited by

                      @maverick_slo:

                      Ahhh ok.
                      I tought it was smart and it's populating pairs autpmatically and then if mac changed fires an alert. Now that would be cool 😁
                      Thanks for clarification!

                      No, it is not an automatic thing.  Also remember that in a switched LAN environment the preprocessor is not going to be able to see and catch everything.  There are some good papers to be found with a Google search about ARP spoof attacks and the difficulting of reliably detecting all of them.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy