Preview of Snort-dev snort pkg 1.7 alpha
-
Hi everyone
I been redoing the snort gui from the ground up to prepare for snort-inline.
Need some user feed back on how the GUI should work.
What part of the GUI don't you like ?
What would you like to see in the GUI ?
James
Main snort menu
NEW You can have multiple instances of snort running on one interface.
NEW Every snort rule has its own settings and rules.
NEW Every snort rule has its own instance of barnyard running.
NEW You can see a brief overview on the snort rule options.
Global settings
NEW You can choose to install snort.org rules or not.
Snort interface edit
NEW Added snort server flow option.
NEW Ability to disable a snort interface rule without losing all your settings.
-
Sounds great! Excelent job, jamesdean! Can't wait to start using it.
-
:D ;) :) the Gui looks great ….....................
-
The Gui looks great… outstanding work James!
Since you asked what would be nice to add to the GUI. The Blocked hosts page could use something more. A way to resolve the IP's to country of origin and a column to indicate that or maybe country flags? Okay that's probably crazy but how about the ability to sort by type of attack or some kind of ongoing statistical record of offending IP's to make it possible to track repeat offenders?
Another thing which comes to mind is the "remove blocked hosts every" field. Is expansion of that function (and field) to seperate out which inerfaces Snort is listening on possible…? For example if folks wanted to block 1 hour on one Interface but go longer on another? (DMZ vs. WAN... time offending host remains blocked) Functionality is the biggest thing so no big deal if too much work or adds unecessary bloat to your code.
Sticking with functionality for a moment, the ability to make changes to F/W Rules, Aliases etc. without losing the current Snort blocked list during a Filter Refresh? I know you had said earlier that you would address that... not sure if was already solved or upcoming.
Thank you for the fine work on this package!
Currently on Snort 2.8.4.1_3 pkg v1.6 on pfSense 1.2.2
-
I am also more interested on the Block Host (IP) page. It is nice to have a button which can clear all the blocked ip and a quick search features. Coz sometime it takes a consider long time to display all the blocked IP.
Finally, may be extra icon to allow permanent block on some ip which always showed in this blocked page.
-
Awesome work!
Keep it up! -
Hi James,
In the "Global settings" tab, maybe a checkbox to allow XMLRPC synchronization with others cluster members ? ;-)
Great work ! Thanks !
Pierre -
jamesdean
snort-dev 2.8.4.1_6 pkg v. 1.8 I don't see anything showing up in the block list its been some hours now,
don't know if rules are being trip
I am seeing HTTP alerts in alert tab from the Preprocessors but nothing else. -
I'm really busy, you will have to wait untill Thrusday so I can add code.
There is code I have not added that makes sure rule selection sets get saved.
So your options are; to manually add the rules to snort.conf for that interface, wait untill Thursday when I have time to code.
James
-
Hi James,
Little feedback for RC2:
- There is a typo error at snort_interfaces.php:337: The tab name for interfaces should be "Snort Interfaces" and not "Snort Inertfaces".
- Little bug (I guess) at line 401 of the same file, when displaying the interface name in the final else: in my tests, the OPT1 interface is shown as "ARRAY", so maybe the complete "if" could be :
if (!$natent['interface'] || ($natent['interface'] == "wan"))
echo "WAN";
else if(strtolower($natent['interface']) == "lan")
echo "LAN";
else if(strtolower($natent['interface']) == "pppoe")
echo "PPPoE";
else if(strtolower($natent['interface']) == "pptp")
echo "PPTP";
else {
$ifname=strtolower($natent['interface']);
if (!empty($config['interfaces'][$ifname]['descr']))
echo strtoupper($config['interfaces'][$ifname]['descr']) ;
else
echo strtoupper($ifname);
}And a question: if I want to use the snort thresholds, should I edit directly the config file ? I see nothing in the RC2 gui about thresholds.
Thanks a lot for this new version !
Regards,
Pierre -
I released new code to fix that op1 thing RC3.
I'll update the typo thing later latter.
The threshhold.conf was removed in 2.8.5. So I removed that part of the code.
In 2.8.5 threshold options should be added to the rule itself.For now, create a threshold.conf in the interface rule dir and edit that manually.
Thanks for the kind words
james
Hi James,
Little feedback for RC2:
- There is a typo error at snort_interfaces.php:337: The tab name for interfaces should be "Snort Interfaces" and not "Snort Inertfaces".
- Little bug (I guess) at line 401 of the same file, when displaying the interface name in the final else: in my tests, the OPT1 interface is shown as "ARRAY", so maybe the complete "if" could be :
if (!$natent['interface'] || ($natent['interface'] == "wan"))
echo "WAN";
else if(strtolower($natent['interface']) == "lan")
echo "LAN";
else if(strtolower($natent['interface']) == "pppoe")
echo "PPPoE";
else if(strtolower($natent['interface']) == "pptp")
echo "PPTP";
else {
$ifname=strtolower($natent['interface']);
if (!empty($config['interfaces'][$ifname]['descr']))
echo strtoupper($config['interfaces'][$ifname]['descr']) ;
else
echo strtoupper($ifname);
}And a question: if I want to use the snort thresholds, should I edit directly the config file ? I see nothing in the RC2 gui about thresholds.
Thanks a lot for this new version !
Regards,
Pierre -
Hi !
Thanks for the quick reply.
Just a remark: I just had a look in the code in git. Using natent[$interface] will show "OPTX", but not the name given to the interface (Description field), and used in dropdown lists in snort or elsewhere. This is not really important anyway, but maybe it could be better to show the same interface name everywhere ?
Pierre
-
Hummm… do you have dual wans ?
Please explain it again.
James
-
James,
No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)
- LAN (the default)
- DMZ1 (OPT1)
- DMZ2 (OPT2)
In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.
Really not an issue, it is only a "look" issue.
Pierre
-
I hear you.
I want to fallow the Interfaces drop-down menu in Pfsense.
But, If people complain, I'll change it to your suggestion.James
James,
No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)
- LAN (the default)
- DMZ1 (OPT1)
- DMZ2 (OPT2)
In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.
Really not an issue, it is only a "look" issue.
Pierre
-
Hi James,
Ok, thanks !
I installed the RC3, I think I found a little issue in the "update" tab (which was maybe there in RC2): the GUI always says the rule directory is empty, even when it is not. I checked the php code, and this messages is not conditional to a "file_exists" call.
Very very little issue ;-)
Pierre
-
Another feedback, I decided to test all I could !
In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :
#########################
Thursday 10th of December 2009 12:03:27 AM
#########################Removing old tmp files…
Downloading md5 file...
Done. downloading md5
Downloading md5 file...
Done. downloading md5
Downloading pfsense md5 file...
Done. downloading md5
Your rules are up to date...
You may start Snort now, check update.
You are NOT up to date...
Stopping All Snort Package services...
There is a new set of Emergingthreats rules posted. Downloading...
May take 4 to 10 min...
Done downloading Emergingthreats rules file.
Extracting rules...
May take a while...
Copying md5 sig to snort directory...
Updating Alert Messages...
Please Wait...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Cleaning up...
The Rules update finished...
Snort has restarted with your new set of rules...But no snort is running :
ps aux | grep snort
Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).
I think the following line is not correct when there is more than one interface:
exec("/bin/sh /usr/local/etc/rc.d/snort* start");
Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")
At the shell, the following is working :
for i in
ls /usr/local/etc/rc.d/snort*do; sh $i start; doneHope this helps !
Pierre -
I'm on it Pierre.
Please post the Pfsense viresion you are using.
Thank you for making the snort package better.
James
Another feedback, I decided to test all I could !
In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :
#########################
Thursday 10th of December 2009 12:03:27 AM
#########################Removing old tmp files…
Downloading md5 file...
Done. downloading md5
Downloading md5 file...
Done. downloading md5
Downloading pfsense md5 file...
Done. downloading md5
Your rules are up to date...
You may start Snort now, check update.
You are NOT up to date...
Stopping All Snort Package services...
There is a new set of Emergingthreats rules posted. Downloading...
May take 4 to 10 min...
Done downloading Emergingthreats rules file.
Extracting rules...
May take a while...
Copying md5 sig to snort directory...
Updating Alert Messages...
Please Wait...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Your first set of rules are being copied...
May take a while...
Cleaning up...
The Rules update finished...
Snort has restarted with your new set of rules...But no snort is running :
ps aux | grep snort
Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).
I think the following line is not correct when there is more than one interface:
exec("/bin/sh /usr/local/etc/rc.d/snort* start");
Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")
At the shell, the following is working :
for i in
ls /usr/local/etc/rc.d/snort*do; sh $i start; doneHope this helps !
Pierre -
I'm on it Pierre.
Please post the Pfsense viresion you are using.
Thank you for making the snort package better.
James
Hi James,
I am using 1.2.3RC3. The lines I was talking about are in /usr/local/pkg/snort/snort_check_for_rule_updates.php, in the snort package.
In the meanwhile, I did some test in the shell:
sh -x
sh -x
sh /usr/local/etc/rc.d/snort* start
- sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start
So I think the problem is the one I suspected yesterday, and only affets snort installation with multi interfaces.
Hope this helps !
Pierre -
jamesdean how can i complete remove the snort RC, snort has 4 service listed under Status: Services
and it wont start I tried removing it from System: Package Manager it uninstall but snort is still listed in service snort and when click it open Services: Snort 2.8.4.1_7 pkg v. 1.8 RC4