Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Package Update 2.5.7 – Change Log

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 7 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort 2.9.4.1 - Package Version 2.5.7

      CHANGE LOG – 04/25/2013
      This update for the Snort package includes several bug fixes, process and UI enhancements and new features. This updates the package to version 2.5.7. This is a GUI code update only. The underlying Snort binary package is still 2.9.4.1.

      How To Install

      For best results, ensure Snort is configured to save settings (on the Global Settings tab) and then perform a package delete and reinstall.  If you have version 2.5.6, a simple package reinstallation without a delete should work.  If you encounter difficulties, try the delete and reinstall method.

      Bug Fixes

      1.  Fixed longstanding bug preventing edits to the intervals for the "Rules Update" and "Remove Blocked Offenders" cron jobs. Changes made in the GLOBAL SETTINGS tab altering the initial settings are now saved and actually implemented in /etc/crontab.

      2.  Made additional enhancements to the Snort shell script to further improve the startup reliability of Snort and Barnyard2.  These changes corrected problems with Snort not auto-starting following 2.1-BETA snapshot updates and the associated package reinstallation.

      3.  Corrected a perceived bug in how the Snort reinstall process worked when reinstalling using previously saved settings. Now, if previously saved Snort settings are detected, Snort is auto-started at the end of the post-install process. Several users requested this new behavior.

      4.  Corrected a number of typos in the Automatic Rules Update module where string variables used as arguments within quotes were not properly delimited with braces {}. For example, "$my_variable" instead of "{$my_variable}".

      5.  Found several more HTML formatting errors scattered around in various modules. Fixing these corrected some weird table formatting issues with stuff not lining up correctly. One example was on the ALERTS tab where on Internet Explorer the layout was scrunched up all on the right-hand side when the alerts table was empty.

      6.  On the ALERTS tab, the CLEAR button was ineffective in Internet Explorer because it was not hooked correctly to the page form object, and consequently alerts could not be cleared when using Internet Explorer 9 or higher.  The CLEAR button now works correctly on IE9 and higher.

      7.  On the SNORT INTERFACES tab, added code to insure the Snort shell script was correctly generated each time an interface was added, removed or had its Barnyard2 settings modified. Previously, some actions could result in the required lines not being added to the shell script.

      8.  Fixed some spelling errors in assorted log messages and in a few code comments.

      9.  Fixed a bug in the new PBI-aware install code where during certain stages of package reinstalling on 2.1 systems the PBI path was null. Now, when the PBI path for Snort shows as null, a sane default value is used instead. This bug was also partly responsible for Snort reinstall failures on 2.1 systems during snapshot updates.

      Enhanced or New Features

      1.  Added a check on the SNORT INTERFACES tab for an empty set of rules on an interface. If a configured and enabled interface has no selected rules, a warning icon is now printed next to the offending interface. Additionally, a warning message is also printed in the system log when the interface is started. Lack of selected rules will not prevent Snort from starting on the interface, but now the user is notified of the condition.  See attached screenshot below for example.

      2.  Changed the pop-up window style for viewing the Flowbit-Required Rules and the Rule Updates Log to be a more conventional style custom pop-up that is not full-screen and does not contain the menu UI of pfSense. This will hopefully prevent some user confusion caused by the old UI where the pop-up window was full-screen and contained the menu. However, this old pop-up window did not have all the necessary state information from the old window; so some menu functions within Snort would get confused.

      3.  Added an automatic VIEW button to the PREPROCESSORS tab that appears whenever the automatic disabling of preprocessor-dependent rules is enabled and it has resulted in some rules actually being disabled. The user can now directly view these auto-disabled rules using the VIEW button on the PREPROCESSORS tab. Note that this new button only appears if rules have actually been disabled. If no rules were auto-disabled, then the new VIEW button is hidden.  See attached screenshot below.

      4.  Changed several of the system log messages from Snort to be more descriptive. Also added a few additional messages from the Snort package deletion and reinstallation routines to give a better record of the process in the event something goes wrong.

      Note – #5 below is a change in default behavior!
      5.  Continuing in the vein of making Snort easier for novices to use right out-of-the-box without inadvertently shooting themselves in the foot, the Snort package now default enables the most commonly-needed preprocessors. These are clearly marked now on the PREPROCESSORS tab. The new default values are used only when the user has never selected a value. If you have an existing Snort installation and saved the values "unchecked", then they will remain that way until you change them.

      6.  Added a new CLEAR button on the Custom Rules view of the RULES tab. When the Custom Rules are selected in the dropdown, and the text area is available for editing custom rules, you now have a CLEAR button that will delete all custom rules in the text area and erase them from the configuration file. The new button has a confirmation dialog where you must answer OK before it actually clears the custom rules.

      7.  Improved the security and integrity of the Rules Update process (both manual and automated) by incorporating verification of the MD5 hash of downloaded rules update files before unpacking and installing them. Previously the code simply tested that the downloaded file size was greater than an arbitrary number. If yes, the download was assumed good. In the new scheme, the MD5 hash of the downloaded file is calculated and then compared to the MD5 hash obtained from the rules origin web site. Only if they match does the updating of the rules proceed. If the hashes do not match, appropriate error messages are sent to the system log and the Rules Update Log.

      SnortInterfaces.jpg
      SnortInterfaces.jpg_thumb
      PreProcessors.jpg
      PreProcessors.jpg_thumb
      AutoDisabledRulesExample.jpg
      AutoDisabledRulesExample.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

        This happens

        Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
        Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
        Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
        Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
        Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
        Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
        Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
        Apr 26 13:32:28 check_reload_status: Syncing firewall

        Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

        Last 500 system log entries
        Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
        Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
        Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
        Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
        Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
        Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
        Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
        Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
        Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
        Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
        Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
        Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
        Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
        Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
        Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…

        Takes a very long time to start Snort.

        The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @Supermule:

          I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

          This happens

          Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
          Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
          Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
          Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
          Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
          Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
          Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
          Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
          Apr 26 13:32:28 check_reload_status: Syncing firewall

          Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

          Last 500 system log entries
          Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
          Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
          Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
          Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
          Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
          Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
          Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
          Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
          Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
          Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
          Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
          Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
          Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
          Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
          Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…

          Takes a very long time to start Snort.

          Yes, the long time is Snort rebuilding the rules prior to starting.  Let's start a 2.5.7 Issues thread and keep problems with 2.5.7 over there.

          Thanks,
          Bill

          1 Reply Last reply Reply Quote 0
          • D
            digdug3
            last edited by

            Again a great update. Worked without problems for me (pfSense 2.0.3 i386)  ;D

            1 Reply Last reply Reply Quote 0
            • J
              johnnybe
              last edited by

              Too long I've been waiting to see the Snort running stable. I just hope the rules update set to 12 hours works fine, not requiring manual intervention to restart the service.
              Reporting Snort fresh install - old snapshot:

              2.1-BETA1 (amd64)
              built on Tue Mar 12 20:58:29 EDT 2013
              FreeBSD 8.3-RELEASE-p6

              Starting rules update…  Time: 2013-04-26 15:26:00
              Downloading Snort VRT md5 file...
              Checking Snort VRT md5 file...
              There is a new set of Snort VRT rules posted. Downloading...
              Done downloading rules file.
              Downloading Snort GPLv2 Community Rules md5 file...
              Checking Snort GPLv2 Community Rules md5.
              Snort GPLv2 Community Rules are up to date.
              Downloading EmergingThreats md5 file...
              Checking EmergingThreats md5.
              There is a new set of EmergingThreats rules posted. Downloading...
              Done downloading EmergingThreats rules file.
              Extracting and installing EmergingThreats.org rules...
              Installation of EmergingThreats.org rules completed.
              Extracting and installing Snort VRT rules...
              Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
              Installation of Snort VRT rules completed.
              Copying new config and map files...
              Updating rules configuration for: WAN ...
              Restarting Snort to activate the new set of rules...
              Snort has restarted with your new set of rules.
              The Rules update has finished.  Time: 2013-04-26 15:31:11

              Snort is working fine and the Widget as well. The Auto generted list for suppress, works fine too. But, as you can see, we have a typo there: generted. ;)

              Thanks for all your effort and dedication, bmeeks.

              you would not believe the view up here

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @johnnybe:

                Snort is working fine and the Widget as well. The Auto generted list for suppress, works fine too. But, as you can see, we have a typo there: generted. ;)

                Thanks for all your effort and dedication, bmeeks.

                Thank you!  And I hate typos – that one escaped me this time, but it goes on my list for the future... ;D

                Bill

                1 Reply Last reply Reply Quote 0
                • J
                  johnnybe
                  last edited by

                  @bmeeks:

                  Thank you!  And I hate typos – that one escaped me this time, but it goes on my list for the future... ;D

                  Cool!  8)
                  More important than that: Snort running fine.  :)

                  you would not believe the view up here

                  1 Reply Last reply Reply Quote 0
                  • T
                    tester_02
                    last edited by

                    I just want to say that the snort package has never run so reliably and so polished EVER until now.

                    Thanks Bill!!

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @tester_02:

                      I just want to say that the snort package has never run so reliably and so polished EVER until now.

                      Thanks Bill!!

                      That's great to hear!  Thank you for posting.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnnybe
                        last edited by

                        Good news: Automatic updates haven't disable Snort. Same thing after manually hang the system. After power on it took about 10 minutes for full system up (6 minutes to have Snort running back).
                        Flow bits is not enabled.
                        System Spec:
                        Intel(R) Atom(TM) CPU D510 @ 1.66GHz
                        2G RAM
                        HD Seagate Sata 7200rpm

                        INSTALLED RULESET SIGNATURES
                        SNORT.ORG
                        EMERGINGTHREATS.NET
                        SNORT GPLv2 COMMUNITY RULES

                        I do have a few rules disabled.

                        you would not believe the view up here

                        1 Reply Last reply Reply Quote 0
                        • RonpfSR
                          RonpfS
                          last edited by

                          I updated to 2.5.7, and I also removed I removed Widescreen
                          I went fine, had to manually start snort but it is running ok

                          The problem with the the top left pfsense logo link seems to be gone
                          It now point to https://xxxxx/index.php in the snort page  ;D

                          2.4.5-RELEASE-p1 (amd64)
                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                          1 Reply Last reply Reply Quote 0
                          • C
                            Clear-Pixel
                            last edited by

                            Thanks bmeeks  ;D

                            HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                            Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                            Single Ethernet Port - VLAN
                            Cisco SG300 10-port Gigabit Managed Switch
                            Cisco DPC3008 Cable Modem  30/4 Mbps
                            Pfsense 2.1-RELEASE (amd64)
                            –------------------------------------------------------------
                            Total Network Power Consumption - 29 Watts

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.