Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Snort package v4.1.6_15 update Release Notes

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    5
    523
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Snort-4.1.6_15

      A new Snort package update has been merged into the Netgate package repo and should appear shortly for pfSense CE and pfSense Plus users. This update adds two new features and fixes two Redmine bug reports and one other bug discovered by me in the custom Legacy Blocking module.

      Important Note: this update includes a change to a common include file in the code package, snort.inc. This file will be cached by PHP and the old file will be used in the initial setup of the Snort conf files after the upgrade if you choose Upgrade on the Package Manager tab. It is suggested that you delete the Snort package, then locate it in the Available Packages tab of the Package Manager and install it again. This way, the new snort.inc file will be used on the initial setup following the update.

      New Features:

      1. The '-M' option was added to the Snort startup parameters to facilitate logging to syslog of certain Legacy Blocking module operations.
      2. Add logging of certain Legacy Blocking Mode plugin actions via syslog.

      Bug Fixes:

      1. HTTP_Inspect Preprocessor Engine: wrong legend on parameters, see Redmine Issue #15222.
      2. Process the decoder and preprocessor rules files through the IPS-Policy logic so that decoder and preprocessor rules not matching the selected IPS-Policy are not loaded into active rules. This will greatly reduce the number of false positives generated by these rules. See Redmine Issue #15260.
      3. Fix potential for memory corruption when removing an element from the Linked List containing passlist entries in the custom Legacy Blocking Mode plugin.
      S keyserK 2 Replies Last reply Reply Quote 5
      • S
        slu @bmeeks
        last edited by

        It's already available in CE.
        Thank you @bmeeks

        pfSense Gold subscription

        1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance @bmeeks
          last edited by

          @bmeeks I though Snort was going to be deprecated. Has it been resurrected from the grave?

          Love the no fuss of using the official appliances :-)

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @keyser
            last edited by bmeeks

            @keyser said in New Snort package v4.1.6_15 update Release Notes:

            @bmeeks I though Snort was going to be deprecated. Has it been resurrected from the grave?

            No change in its status on pfSense. This is primarily just fixing something that had been coded incorrectly in the GUI portion of the package for a long time.

            The deprecated part is up to the Talos/Cisco group upstream. Currently, Snort on pfSense is based on the deprecated Snort 2.9.x binary. That binary has been replaced by the Snort3 branch which is radically different. It is coded in C++ instead of C, uses Lua for the snort.conf file instead of plaintext, uses a totally different plugin API, and is multithreaded. So, that means for a Snort3 package to exist on pfSense, everything related to the current package would have to be rewritten basically from the ground up. I'm not willing to do that, preferring instead to concentrate on Suricata. If someone else wants to attempt a Snort3 package, they are more than welcome to do so.

            At some point I fully expect the Snort 2.9.x binary to be pulled by the Talos/Cisco folks. Already, so far as I know, there have been no updates since 2.9.20 was released back in June 2022.

            1 Reply Last reply Reply Quote 2
            • bmeeksB
              bmeeks
              last edited by bmeeks

              To hopefully add some additional clarity to my response above relative to Snort package deprecation in pfSense --

              A good analogy might be the current state of the legacy ISC DHCP daemon and the new Kea component. The ISC DHCP daemon is still present in pfSense and likely will remain available for quite some time in the future. But ISC has announced that Kea is their future, and it's where all future development effort from them will be concentrated going forward. pfSense has made the decision to add Kea and to eventually deprecate the legacy ISC DHCP product.

              Similarly, for Snort, the upstream Talos/Cisco team has made it clear that Snort3 is where their future development efforts will concentrate. I expect the old Snort 2.9.x tree to get very limited "love" (if it gets any at all) going forward.

              But as long as the 2.9.20 binary code compiles in whatever FreeBSD version pfSense is using at a given point in time, and the code runs without crashing, I suspect the Snort 2.9.x package will continue to be available on pfSense.

              On pfSense there are two pieces of the Snort package puzzle. There is the GUI component the user interacts with (written in PHP), and then the binary daemon (written in C) where all the actual packet inspection happens. The binary daemon comes from the upstream Talos/Cisco folks. All the PHP code does is create the snort.conf file and then launch the binary daemon. There may be occasional updates to the PHP code (for example, this most recent one) to address known bugs within that piece. The binary piece on pfSense also contains a custom plugin I wrote that handles the Legacy Mode blocking duty. Sometimes that custom plugin may get a fix (as it did in this release), but no new Snort binary traffic inspection features or support for new protocols are going to show up unless the Talos/Cisco upstream team makes an update for the Snort 2.9.x binary tree. I don't expect that to happen often, and it is less and less likely as time progresses. Already it's been nearly two years since any change was made in Snort 2.9.x upstream.

              1 Reply Last reply Reply Quote 1
              • bmeeksB bmeeks referenced this topic on
              • First post
                Last post