Snort Package v3.2.9.5 Update – Release Notes

  • Snort v3.2.9.5 – Release Notes

    An update for the Snort package has been posted.  There is both a GUI code update and an underlying binary bug fix.

    I strongly suggest that the best way to upgrade the Snort package is to first uninstall it from the Package Manager, and then reinstall it.  You won't lose any settings so long as you have the "Save Settings on Deinstall" checkbox on the GLOBAL SETTINGS tab checked.  It is checked by default.

    New Features

    The ARP Spoofing preprocessor is now exposed in the GUI as a configurable option on the PREPROCESSORS tab. Settings are available for toggling the enabled state of the preprocessor and for enabling detection of unicast ARP requests. A multi-entry table is provided that allows for entry of MAC address-to-IP address pairs to monitor for ARP spoofing incidents. New MAC/IP address pairs can be added to the table and existing MAC/IP pairs can be edited or deleted from the table.

    Bug Fixes

    • Fix display of IPv6 addresses so they wrap correctly when displayed in the SRC IP and DST IP columns on the ALERTS tab.

    • Fix the DOWNLOAD button on the ALERTS and BLOCKS tabs so it works. Also fix the ALERTS download so that it only includes alert logs and not all log files in the directory.

    • Restore the installation of the attribute_table.dtd validation file to the Snort conf directory.

    • Do not show Reverse DNS Lookup and Track-by-IP icons on the ALERTS tab for alert entries that do not contain an IP Header and thus have no IP addresses (usually from alerts generated by the ARP Spoof preprocessor).

    • Improve package uninstall procedure by manually cleaning up files created or altered by the GUI code. The default pkg uninstall code does not remove files modified by others.

    • Remove the shared object rules files when uninstalling the package. This should fix errors during package upgrades when older versions of these files still exist.

    • Add a warning to the OpenAppID rules file download section on the GLOBAL SETTINGS tab about Geo-IP blocking at the volunteer hosting web site. This hosting block may impact users in some countries when they attempt to enable the OpenAppID rules download. (NOTE - this is for the rules only. The OpenAppID detectors are maintained by the Snort VRT and should always download and install. However, the detectors need the rules in order to be fully functional.)

    • Fix deletion of multi-configuration engines for preprocessors that support them such as Frag3, Stream5, HttpInspect, FTP and ARP Spoof.

    • Correct a bug in the custom blocking plugin for the Snort binary. Failure to validate that the IP header information in an alerting packet is valid before attempting to insert the IP addressess into the "snort2c" table could cause Signal 11 faults in the Snort binary. Certain alerts, particularly from the ARP Spoofing detection preprocessor, may not contain valid IP header information. The IP header information is now validated before attempting to insert the addresses into the "snort2c" table. Alert packets with empty or invalid IP header information are now ignored by the blocking plugin since it could not do anything useful with them anyway.


  • Hi and thanks for the update!

    Is this normal?

  • @maverick_slo:

    Hi and thanks for the update!

    Is this normal?

    Depends on your configuration.  Generally you don't want to enable Unicast ARP detection unless you really need to.  Have you configured MAC address and IP address pairs for the preprocessor to monitor?  Finally, is your firewall a physical box on an actual network, or is it a virtual machine?  That can make a difference in what the preprocessor detects.

    I'm not an expert on the ARP preprocessor.  Never have researched it much.  I added it just so the folks that have a need to use it can configure it in the GUI without having to resort to  the Advanced Pass-Through option.


  • Not entered anything to ip and mac.
    Will disable that option.
    It's physical machine…

  • I`ve disabled unicast option and log spam stopped.
    Now some tests with arpspoof :)

  • Well tested it and heh…. no usable info in logs unfortunatley.
    No IPs no MACs just informative things...
    While in system log:
    arp: moved from 00:25:9c:14:66:aa to 00:15:5d:00:e7:bb on em1_vlan10

    I dont know how its supposed to work anyways :)

  • From what I understand about how it works, you must enter MAC address and IP address pairs for it to monitor.  Of course that implies the monitored hosts need static IP addressees.

    You input these by clicking the green ADD button.  That will open a modal dialog where you input a MAC and IP address.  Save it, then restart Snort to pick up the changes.  You can add several MAC/IP pairs and then restart Snort if you choose.  As you add address pairs, they will appear in the table in that Preprocessor section.  Each new row will also have the little edit and delete icons like other things in the GUI.  The modal dialog uses built-in PHP functions to validate the MAC and IP addresses.  I used dashes ("-") between the values of the MAC address when I tested.  Snort wants colons in its configuration, so the GUI code under the covers will convert dashes to colons in the MAC address field when it creates the Snort configuration file.


  • Ahhh ok.
    I tought it was smart and it's populating pairs autpmatically and then if mac changed fires an alert. Now that would be cool 😁
    Thanks for clarification!

  • @maverick_slo:

    Ahhh ok.
    I tought it was smart and it's populating pairs autpmatically and then if mac changed fires an alert. Now that would be cool 😁
    Thanks for clarification!

    No, it is not an automatic thing.  Also remember that in a switched LAN environment the preprocessor is not going to be able to see and catch everything.  There are some good papers to be found with a Google search about ARP spoof attacks and the difficulting of reliably detecting all of them.


Log in to reply