Snort Package Update to v2.9.13 (binary) and v3.2.9.8_6 (GUI) - Release Notes

bmeeks

A Snort package update has been posted to the pfSense 2.5-DEVEL tree. The update includes the latest 2.9.13 Snort binary, fixes two GUI package bugs and enhances some existing Snort GUI features.

Release notes for the 2.9.13 Snort binary can be found here.

After a testing period on pfSense-2.5-DEVEL, the update will be ported to the current 2.4.x-RELEASE tree.

GUI Package Feature Updates

1. Change the base URL for ET-Open rules to use HTTPS (https://rules.emergingthreats.net/).
2. Change the base URL for OpenAppID free rules to use HTTPS (https://files.pfsense.org/openappid/).
3. Change the IP REP tab code so IP Reputation preprocessor configuration edits restart Snort instead of causing it to stop when already running. This is necessary because any IP REP changes require a Snort restart on the interface.

GUI Package Bug Fixes

1. IP REPUTATION tab has cosmetic issues when choosing an IP blacklist for the interface.
2. When updating package (via a reinstall) without Snort VRT rule download enabled the unicode.map file is clobbered rendering Snort unable to start.

l0rdraiden

Does this version of Snort already do block in inline mode?

bmeeks

@l0rdraiden said in Snort Package Update to v2.9.13 (binary) and v3.2.9.8_6 (GUI) - Release Notes:

Does this version of Snort already do block in inline mode?

No, Snort cannot do inline mode blocking on pfSense like Suricata can. That is potentially on the horizon, but I don't have a timeline for when.

Simbad

Hi, why don't you update openappid? (https://files.pfsense.org/openappid/).

https://blog.snort.org/2019/04/update-to-snort-openappid-detectors.html

bmeeks

@Simbad said in Snort Package Update to v2.9.13 (binary) and v3.2.9.8_6 (GUI) - Release Notes:

Hi, why don't you update openappid? (https://files.pfsense.org/openappid/).

https://blog.snort.org/2019/04/update-to-snort-openappid-detectors.html

You are confusing the available free OpenAppID rules (written by a third-party and hosted by Netgate) with the OpenAppID rule stubs which are produced by the Snort team. That post on the Snort blog was about the rule stubs. These are two separate things, but you need both for OpenAppID to work. The rule stubs (the portion produced by the Snort team) will automatically update at your next rules update after they are posted to the Snort site. The free OpenAppID rules, on the other hand, only update if and when the third-party author (who was affiliated with a University in Brazil) makes a change. I don't think he has made any changes in quite some time.

The rule stubs are the foundation upon which OpenAppID works, but without the text rules written by that third-party OpenAppID does not work. You are also free to create your own OpenAppID rules using the latest features afforded by the new rule stubs. You can add them as Custom Rules on the RULES tab.