Snort Package v4.0 for pfSense-2.5-DEVEL -- Release Notes

  • Snort v4.0 Package for pfSense-2.5-DEVEL

    A new Snort version is available for users of pfSense-2.5-DEVEL snapshots. This new version adds an Inline IPS Mode of operation for Snort that uses the netmap API for high-speed network transfers. The inline mode also prevents any leakage of packets while Snort is making a go/no-go decision on a packet stream. With Inline IPS Mode, Snort now can literally sit between the NIC driver and host operating system stack. This means every packet coming and going from the interface to the operating system (the pfSense firewall) must go through Snort via the netmap pipe. Snort can make a decision to either forward a packet on to the operating system or drop the packet. Dropped packets never pass to the operating system, and thus are effectively blocked.

    This Snort package includes the latest 2.9.13 version of the Snort binary. Release notes for Snort 2.9.13 can be found here.

    You must first uninstall your existing Snort package and then re-install it for this upgrade. Failure to remove the Snort package first may lead to unpredictable operation after the initial startup from the upgrade. Removing the package will not result in loss of Snort settings so long as the "Save Settings" option is checked on the GLOBAL SETTINGS tab. That option is checked by default.

    New Features:

    1. Support for Inline IPS mode operation using the DAQ netmap module. This mode is configured on the INTERFACE SETTINGS tab for an interface in the Block Settings area. You must have a supported NIC (network interface card) to use this new feature. Currently FreeBSD 12 supports netmap operation with the following NIC drivers: em, igb, ixgb, ixl, lem, re and cxgbe.
    2. Enabled the normalize preprocessor for Inline IPS mode operation. This preprocessor does nothing when Legacy Mode blocking is used.

    Bug Fixes:

    1. Host Attribute Table XML file fails load. See Redmine issue #9546.
    2. Interface IP REP tab shows "invalid foreach parameter" error message if no blacklists or whitelists are assigned to the interface.
    3. The snort_prepare_rule_files() function does not process enabled or disabled preprocessor or decoder rules when no other rule categories nor an IPS Policy are selected.
    4. Config setting CONFIG FLOWBITS_SIZE now set to maximum value (2048). See this Netgate Forums post for details.
    5. Snort sometimes fails to live reload rule updates and logs a spurious "Snort Reload: Changes to dynamic preprocessors require a restart" error message in the system log.

    I will post set up instructions along with screenshots for configuring the new Inline IPS Mode in a separate thread

Log in to reply