Preview of Snort-dev snort pkg 1.7 alpha



  • Hi everyone

    I been redoing the snort gui from the ground up to prepare for snort-inline.

    Need some user feed back on how the GUI should work.

    What part of the GUI don't you like ?

    What would you like to see in the GUI ?

    James

    Main snort menu

    NEW You can have multiple instances of snort running on one interface.
    NEW Every snort rule has its own settings and rules.
    NEW Every snort rule has its own instance of barnyard running.
    NEW You can see a brief overview on the snort rule options.

    Global settings

    NEW You can choose to install snort.org rules or not.

    Snort interface edit

    NEW Added snort server flow option.
    NEW Ability to disable a snort interface rule without losing all your settings.



  • Sounds great! Excelent job, jamesdean! Can't wait to start using it.



  • :D ;) :) the Gui looks great ….....................



  • The Gui looks great… outstanding work James!

    Since you asked what would be nice to add to the GUI. The Blocked hosts page could use something more. A way to resolve the IP's to country of origin and a column to indicate that or maybe country flags? Okay that's probably crazy but how about the ability to sort by type of attack or some kind of ongoing statistical record of offending IP's to make it possible to track repeat offenders?

    Another thing which comes to mind is the "remove blocked hosts every" field. Is expansion of that function (and field) to seperate out which inerfaces Snort is listening on possible…? For example if folks wanted to block 1 hour on one Interface but go longer on another? (DMZ vs. WAN... time offending host remains blocked) Functionality is the biggest thing so no big deal if too much work or adds unecessary bloat to your code.

    Sticking with functionality for a moment, the ability to make changes to F/W Rules, Aliases etc. without losing the current Snort blocked list during a Filter Refresh? I know you had said earlier that you would address that... not sure if was already solved or upcoming.

    Thank you for the fine work on this package!

    Currently on Snort 2.8.4.1_3 pkg v1.6 on pfSense 1.2.2



  • I am also more interested on the Block Host (IP) page. It is nice to have a button which can clear all the blocked ip and a quick search features. Coz sometime it takes a consider long time to display all the blocked IP.

    Finally, may be extra icon to allow permanent block on some ip which always showed in this blocked page.



  • Awesome work!
    Keep it up!



  • Hi James,

    In the "Global settings" tab, maybe a checkbox to allow XMLRPC synchronization with others cluster members ? ;-)

    Great work ! Thanks !
    Pierre



  • jamesdean
    snort-dev  2.8.4.1_6 pkg v. 1.8  I don't see anything showing up in the block list its been some hours now,
    don't know if rules are being trip
    I am seeing HTTP alerts in alert tab from the Preprocessors but nothing else.



  • @ToxIcon

    I'm really busy, you will have to wait untill Thrusday so I can add code.

    There is code I have not added that makes sure rule selection sets get saved.

    So your options are; to manually add the rules to snort.conf for that interface, wait untill Thursday when I have time to code.

    James



  • Hi James,

    Little feedback for RC2:

    • There is a typo error at snort_interfaces.php:337: The tab name for interfaces should be "Snort Interfaces" and not "Snort Inertfaces".
    • Little bug (I guess) at line 401 of the same file, when displaying the interface name in the final else: in my tests, the OPT1 interface is shown as "ARRAY",  so maybe the complete "if" could be :

    if (!$natent['interface'] || ($natent['interface'] == "wan"))
                                    echo "WAN";
                            else if(strtolower($natent['interface']) == "lan")
                                    echo "LAN";
                            else if(strtolower($natent['interface']) == "pppoe")
                                    echo "PPPoE";
                            else if(strtolower($natent['interface']) == "pptp")
                                    echo "PPTP";
                            else {
                                    $ifname=strtolower($natent['interface']);
                                    if (!empty($config['interfaces'][$ifname]['descr']))
                                            echo strtoupper($config['interfaces'][$ifname]['descr']) ;
                                    else
                                            echo strtoupper($ifname);
                                }

    And a question: if I want to use the snort thresholds, should I edit directly the config file ? I see nothing in the RC2 gui about thresholds.

    Thanks a lot for this new version !

    Regards,
    Pierre



  • @ppomes

    I released new code to fix that op1 thing RC3.

    I'll update the typo thing later latter.

    The threshhold.conf was removed in 2.8.5. So I removed that part of the code.
    In 2.8.5 threshold options should be added to the rule itself.

    For now, create a threshold.conf in the interface rule dir and edit that manually.

    Thanks for the kind words

    james

    @ppomes:

    Hi James,

    Little feedback for RC2:

    • There is a typo error at snort_interfaces.php:337: The tab name for interfaces should be "Snort Interfaces" and not "Snort Inertfaces".
    • Little bug (I guess) at line 401 of the same file, when displaying the interface name in the final else: in my tests, the OPT1 interface is shown as "ARRAY",  so maybe the complete "if" could be :

    if (!$natent['interface'] || ($natent['interface'] == "wan"))
                                   echo "WAN";
                           else if(strtolower($natent['interface']) == "lan")
                                   echo "LAN";
                           else if(strtolower($natent['interface']) == "pppoe")
                                   echo "PPPoE";
                           else if(strtolower($natent['interface']) == "pptp")
                                   echo "PPTP";
                           else {
                                   $ifname=strtolower($natent['interface']);
                                   if (!empty($config['interfaces'][$ifname]['descr']))
                                           echo strtoupper($config['interfaces'][$ifname]['descr']) ;
                                   else
                                           echo strtoupper($ifname);
                                }

    And a question: if I want to use the snort thresholds, should I edit directly the config file ? I see nothing in the RC2 gui about thresholds.

    Thanks a lot for this new version !

    Regards,
    Pierre



  • Hi !

    Thanks for the quick reply.

    Just a remark: I just had a look in the code in git. Using natent[$interface] will show "OPTX", but not the name given to the interface (Description field), and used in dropdown lists in snort or elsewhere. This is not really important anyway, but maybe it could be better to show the same interface name everywhere ?

    Pierre



  • Hummm… do you have dual wans ?

    Please explain it again.

    James



  • James,

    No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)

    • LAN (the default)
    • DMZ1 (OPT1)
    • DMZ2 (OPT2)

    In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.

    Really not an issue, it is only a "look" issue.

    Pierre



  • I hear you.

    I want to fallow the Interfaces drop-down menu in Pfsense.
    But, If people complain, I'll change it to your suggestion.

    James

    @ppomes:

    James,

    No dual wan, but three physical LAN (I use snort on internal devices to reduce alert verbosity)

    • LAN (the default)
    • DMZ1 (OPT1)
    • DMZ2 (OPT2)

    In firewall rules or nat screens, these 2 other interfaces are shown as DMZ1/DMZ1 ($config['interfaces'][xxx]['descr']). In snort screens, when adding a new interface, the GUI also shows DMZ1/DMZ2 in the dropdown list to select the interface. But in the snort interface tab, with $natent['interface'], OPT1/2 is shown.

    Really not an issue, it is only a "look" issue.

    Pierre



  • Hi James,

    Ok, thanks !

    I installed the RC3, I think I found a little issue in the "update" tab (which was maybe there in RC2): the GUI always says the rule directory is empty, even when it is not. I checked the php code, and this messages is not conditional to a "file_exists" call.

    Very very little issue ;-)

    Pierre



  • Another feedback, I decided to test all I could !

    In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :

    #########################
    Thursday 10th of December 2009 12:03:27 AM
    #########################

    Removing old tmp files…
    Downloading md5 file...
    Done. downloading md5
    Downloading md5 file...
    Done. downloading md5
    Downloading pfsense md5 file...
    Done. downloading md5
    Your rules are up to date...
    You may start Snort now, check update.
    You are NOT up to date...
    Stopping All Snort Package services...
    There is a new set of Emergingthreats rules posted. Downloading...
    May take 4 to 10 min...
    Done downloading Emergingthreats rules file.
    Extracting rules...
    May take a while...
    Copying md5 sig to snort directory...
    Updating Alert Messages...
    Please Wait...
    Your first set of rules are being copied...
    May take a while...
    Your first set of rules are being copied...
    May take a while...
    Your first set of rules are being copied...
    May take a while...
    Cleaning up...
    The Rules update finished...
    Snort has restarted with your new set of rules...

    But no snort is running :

    ps aux | grep snort

    Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).

    I think the following line is not correct when there is more than one interface:

    exec("/bin/sh /usr/local/etc/rc.d/snort* start");

    Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")

    At the shell, the following is working :

    for i in ls /usr/local/etc/rc.d/snort* do; sh $i start; done

    Hope this helps !
    Pierre



  • I'm on it Pierre.

    Please post the Pfsense viresion you are using.

    Thank you for making the snort package better.

    James

    @ppomes:

    Another feedback, I decided to test all I could !

    In my test, I have three interfaces. I activated the auto update of rules every 6 hours, and when an update is done, none of the three snort is restarting. The cron log file seems ok :

    #########################
    Thursday 10th of December 2009 12:03:27 AM
    #########################

    Removing old tmp files…
    Downloading md5 file...
    Done. downloading md5
    Downloading md5 file...
    Done. downloading md5
    Downloading pfsense md5 file...
    Done. downloading md5
    Your rules are up to date...
    You may start Snort now, check update.
    You are NOT up to date...
    Stopping All Snort Package services...
    There is a new set of Emergingthreats rules posted. Downloading...
    May take 4 to 10 min...
    Done downloading Emergingthreats rules file.
    Extracting rules...
    May take a while...
    Copying md5 sig to snort directory...
    Updating Alert Messages...
    Please Wait...
    Your first set of rules are being copied...
    May take a while...
    Your first set of rules are being copied...
    May take a while...
    Your first set of rules are being copied...
    May take a while...
    Cleaning up...
    The Rules update finished...
    Snort has restarted with your new set of rules...

    But no snort is running :

    ps aux | grep snort

    Nothing is system logs, so it seems the script /usr/local/pkg/snort/snort_check_for_rule_updates.php did not start anything (I mean: there is no snort startup error on logs, so I guess the script did not restart instances).

    I think the following line is not correct when there is more than one interface:

    exec("/bin/sh /usr/local/etc/rc.d/snort* start");

    Trying "/bin/sh /usr/local/etc/rc.d/snort* start" at the shell prompt deos nothing (maybe causing "/bin/sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start")

    At the shell, the following is working :

    for i in ls /usr/local/etc/rc.d/snort* do; sh $i start; done

    Hope this helps !
    Pierre



  • @jamesdean:

    I'm on it Pierre.

    Please post the Pfsense viresion you are using.

    Thank you for making the snort package better.

    James

    Hi James,

    I am using 1.2.3RC3. The lines I was talking about are in /usr/local/pkg/snort/snort_check_for_rule_updates.php, in the snort package.

    In the meanwhile, I did some test in the shell:

    sh -x

    sh -x

    sh /usr/local/etc/rc.d/snort* start

    • sh /usr/local/etc/rc.d/snort_0re0.sh /usr/local/etc/rc.d/snort_1re2.sh /usr/local/etc/rc.d/snort_2re1.sh start

    So I think the problem is the one I suspected yesterday, and only affets snort installation with multi interfaces.

    Hope this helps !
    Pierre



  • jamesdean  how can i complete remove the snort RC, snort has 4 service listed under Status: Services
    and it wont start I tried removing it from System: Package Manager it uninstall but snort is still listed in service snort and when click it open Services: Snort 2.8.4.1_7 pkg v. 1.8 RC4



  • @ToxIcon:

    jamesdean  how can i complete remove the snort RC, snort has 4 service listed under Status: Services
    and it wont start I tried removing it from System: Package Manager it uninstall but snort is still listed in service snort and when click it open Services: Snort 2.8.4.1_7 pkg v. 1.8 RC4

    Hey are you using nanobsd ?

    Try reinstalling the snort package then deinstalling it now.

    James



  • james

    no not using nanobsd. full install, this scrip doesn't work to enable all rules

    /usr/local/bin/perl -pi -e 's/# alert/alert/g' /usr/local/etc/snort/rules/*.rules

    can you post another script

    james thank you for all your hard work I know its not easy but we all do appreciate all your hard work



  • I will add a option to disable or enable all rules for an interface.
    Please be Patient.

    James



  • Snort 2.8.4.1_7 pkg v. 1.8 RC4
    their seem to be something wrong with the Emergingthreats rules It will download but they are not listed in Categories or rules
    also their are no alerts or blocking also what would you recommend for HTTP server flow depth I have it set to 0


Log in to reply