Snort-4.0_5 Package Update Release Notes (for pfSense-2.5 DEVEL)

bmeeks

Snort-4.0_5 Package Release Notes
An update for the Snort package on pfSense-2.5 DEVEL has been posted. This update adds two new features and corrects two bugs. Support is added for the latest Snort-2.9.14.1 binary.

NOTE: the 4.x series Snort package includes the new Inline IPS Mode and is only available for pfSense-2.5-DEVEL snapshot users.

New Features:

1. The FreeBSD real interface name is now shown in parentheses beside the friendly interface name on the INTERFACES tab and in the interface selection drop-downs on the INTERFACE SETTINGS and ALERTS tabs.

2. Support is added for the latest Snort v2.9.14.1 binary from upstream.

Bug Fixes:

1. New SSH preprocessor parameters default value values were not being set when adding a new interface on the INTERFACES tab.

2. An error in the Snort GUI code could allow the most recently added interface configuration to be overwritten by the values of the interface immediately before it in the config.xml file.

Simbad

Bmeeks, will you add buttn DROP ALL in all category?

Simbad

Bmeeks will you be able to add a button "drop all" in each category? :)

bmeeks

@Simbad said in Snort-4.0_5 Package Update Release Notes (for pfSense-2.5 DEVEL):

Bmeeks, will you add buttn DROP ALL in all category?

Well, I could but I am a bit hesitant because that will clutter up the config.xml file on the firewall with large Base64 encoded strings. I had rather users make use of the SID MGMT features to accomplish what you are wanting. It is much, much more efficient in terms of configuration storage space.

Using the example from your posted screen grab, assume you want all the rules in the snort_app-detect category to be DROP. Here is all you need to do:

1. Enable SID MGMT (if not already enabled)
2. Click the icon to ADD a new SID MGMT list. In the Title box name it dropsid.conf (or really any name you want to use, but I just like to keep it simple and name the file for what it is doing).
3. Now, down in the edit box for content, type the following on a single line and then save the change to close the edit dialog modal.

snort_app-detect

4. At the bottom of the page, in the Drop SID List selector for the interface where you want the new rule action to apply, select the list you just created (dropsid.conf if you followed my example).
5. Click the checkbox on the far left for Rebuild. Click Save. This will force an immediate calculation of the new rules with updated actions and then sends the running Snort process on that interface a signal to reload its rules.

In the future, if you want to add more categories to the DROP action modification list, simply return to the SID MGMT tab and add the additional category names on the line. Separate the names witih commas (or you can put each category on a line by itself, either way).

You can also modify the action for specific SIDS or even ranges of SIDS using this same file. Open up and view the dropsid-sample.conf file for examples of the various options.