Snort Package Update 2.5.7 – Change Log



  • Snort 2.9.4.1 - Package Version 2.5.7

    CHANGE LOG – 04/25/2013
    This update for the Snort package includes several bug fixes, process and UI enhancements and new features. This updates the package to version 2.5.7. This is a GUI code update only. The underlying Snort binary package is still 2.9.4.1.

    How To Install

    For best results, ensure Snort is configured to save settings (on the Global Settings tab) and then perform a package delete and reinstall.  If you have version 2.5.6, a simple package reinstallation without a delete should work.  If you encounter difficulties, try the delete and reinstall method.

    Bug Fixes

    1.  Fixed longstanding bug preventing edits to the intervals for the "Rules Update" and "Remove Blocked Offenders" cron jobs. Changes made in the GLOBAL SETTINGS tab altering the initial settings are now saved and actually implemented in /etc/crontab.

    2.  Made additional enhancements to the Snort shell script to further improve the startup reliability of Snort and Barnyard2.  These changes corrected problems with Snort not auto-starting following 2.1-BETA snapshot updates and the associated package reinstallation.

    3.  Corrected a perceived bug in how the Snort reinstall process worked when reinstalling using previously saved settings. Now, if previously saved Snort settings are detected, Snort is auto-started at the end of the post-install process. Several users requested this new behavior.

    4.  Corrected a number of typos in the Automatic Rules Update module where string variables used as arguments within quotes were not properly delimited with braces {}. For example, "$my_variable" instead of "{$my_variable}".

    5.  Found several more HTML formatting errors scattered around in various modules. Fixing these corrected some weird table formatting issues with stuff not lining up correctly. One example was on the ALERTS tab where on Internet Explorer the layout was scrunched up all on the right-hand side when the alerts table was empty.

    6.  On the ALERTS tab, the CLEAR button was ineffective in Internet Explorer because it was not hooked correctly to the page form object, and consequently alerts could not be cleared when using Internet Explorer 9 or higher.  The CLEAR button now works correctly on IE9 and higher.

    7.  On the SNORT INTERFACES tab, added code to insure the Snort shell script was correctly generated each time an interface was added, removed or had its Barnyard2 settings modified. Previously, some actions could result in the required lines not being added to the shell script.

    8.  Fixed some spelling errors in assorted log messages and in a few code comments.

    9.  Fixed a bug in the new PBI-aware install code where during certain stages of package reinstalling on 2.1 systems the PBI path was null. Now, when the PBI path for Snort shows as null, a sane default value is used instead. This bug was also partly responsible for Snort reinstall failures on 2.1 systems during snapshot updates.

    Enhanced or New Features

    1.  Added a check on the SNORT INTERFACES tab for an empty set of rules on an interface. If a configured and enabled interface has no selected rules, a warning icon is now printed next to the offending interface. Additionally, a warning message is also printed in the system log when the interface is started. Lack of selected rules will not prevent Snort from starting on the interface, but now the user is notified of the condition.  See attached screenshot below for example.

    2.  Changed the pop-up window style for viewing the Flowbit-Required Rules and the Rule Updates Log to be a more conventional style custom pop-up that is not full-screen and does not contain the menu UI of pfSense. This will hopefully prevent some user confusion caused by the old UI where the pop-up window was full-screen and contained the menu. However, this old pop-up window did not have all the necessary state information from the old window; so some menu functions within Snort would get confused.

    3.  Added an automatic VIEW button to the PREPROCESSORS tab that appears whenever the automatic disabling of preprocessor-dependent rules is enabled and it has resulted in some rules actually being disabled. The user can now directly view these auto-disabled rules using the VIEW button on the PREPROCESSORS tab. Note that this new button only appears if rules have actually been disabled. If no rules were auto-disabled, then the new VIEW button is hidden.  See attached screenshot below.

    4.  Changed several of the system log messages from Snort to be more descriptive. Also added a few additional messages from the Snort package deletion and reinstallation routines to give a better record of the process in the event something goes wrong.

    Note – #5 below is a change in default behavior!
    5.  Continuing in the vein of making Snort easier for novices to use right out-of-the-box without inadvertently shooting themselves in the foot, the Snort package now default enables the most commonly-needed preprocessors. These are clearly marked now on the PREPROCESSORS tab. The new default values are used only when the user has never selected a value. If you have an existing Snort installation and saved the values "unchecked", then they will remain that way until you change them.

    6.  Added a new CLEAR button on the Custom Rules view of the RULES tab. When the Custom Rules are selected in the dropdown, and the text area is available for editing custom rules, you now have a CLEAR button that will delete all custom rules in the text area and erase them from the configuration file. The new button has a confirmation dialog where you must answer OK before it actually clears the custom rules.

    7.  Improved the security and integrity of the Rules Update process (both manual and automated) by incorporating verification of the MD5 hash of downloaded rules update files before unpacking and installing them. Previously the code simply tested that the downloaded file size was greater than an arbitrary number. If yes, the download was assumed good. In the new scheme, the MD5 hash of the downloaded file is calculated and then compared to the MD5 hash obtained from the rules origin web site. Only if they match does the updating of the rules proceed. If the hashes do not match, appropriate error messages are sent to the system log and the Rules Update Log.







  • Banned

    I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

    This happens

    Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
    Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:32:28 check_reload_status: Syncing firewall

    Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

    Last 500 system log entries
    Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
    Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
    Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
    Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
    Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
    Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
    Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…

    Takes a very long time to start Snort.

    The only difference that I noticed was the change in interface name... From (9626_em0) to (em0) but I dont know if it has any influence on the way it behaves...



  • @Supermule:

    I edit Snort Interface variables and go to Dashoboard -> Services widget and press restart Snort.

    This happens

    Apr 26 13:32:45 SnortStartup[29810]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:41 kernel: em0: promiscuous mode disabled
    Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:41 snort[26004]: *** Caught Term-Signal
    Apr 26 13:32:40 SnortStartup[27109]: Snort STOP for Internet(9626_em0)…
    Apr 26 13:32:36 php: /snort/snort_preprocessors.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:32:32 php: /snort/snort_preprocessors.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:32:28 php: /snort/snort_preprocessors.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:32:28 check_reload_status: Syncing firewall

    Go to services -> Snort and it shows Snort is not running. I click the green button and get this:

    Last 500 system log entries
    Apr 26 13:37:30 php: /snort/snort_interfaces.php: Snort START for Internet(em0)...
    Apr 26 13:37:29 kernel: em0: promiscuous mode enabled
    Apr 26 13:35:43 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Apr 26 13:35:41 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Apr 26 13:35:39 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Apr 26 13:35:39 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(em0)...
    Apr 26 13:35:23 kernel: em0: promiscuous mode disabled
    Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:23 snort[43453]: *** Caught Term-Signal
    Apr 26 13:35:22 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)…
    Apr 26 13:35:22 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:35:21 php: /snort/snort_interfaces.php: Snort STOP for Internet(em0)...
    Apr 26 13:35:21 php: /snort/snort_interfaces.php: Toggle (snort stopping) for WAN(em0)...
    Apr 26 13:34:35 kernel: em0: promiscuous mode enabled
    Apr 26 13:34:35 SnortStartup[43762]: Snort START for Internet(9626_em0)…

    Takes a very long time to start Snort.

    Yes, the long time is Snort rebuilding the rules prior to starting.  Let's start a 2.5.7 Issues thread and keep problems with 2.5.7 over there.

    Thanks,
    Bill



  • Again a great update. Worked without problems for me (pfSense 2.0.3 i386)  ;D



  • Too long I've been waiting to see the Snort running stable. I just hope the rules update set to 12 hours works fine, not requiring manual intervention to restart the service.
    Reporting Snort fresh install - old snapshot:

    2.1-BETA1 (amd64)
    built on Tue Mar 12 20:58:29 EDT 2013
    FreeBSD 8.3-RELEASE-p6

    Starting rules update…  Time: 2013-04-26 15:26:00
    Downloading Snort VRT md5 file...
    Checking Snort VRT md5 file...
    There is a new set of Snort VRT rules posted. Downloading...
    Done downloading rules file.
    Downloading Snort GPLv2 Community Rules md5 file...
    Checking Snort GPLv2 Community Rules md5.
    Snort GPLv2 Community Rules are up to date.
    Downloading EmergingThreats md5 file...
    Checking EmergingThreats md5.
    There is a new set of EmergingThreats rules posted. Downloading...
    Done downloading EmergingThreats rules file.
    Extracting and installing EmergingThreats.org rules...
    Installation of EmergingThreats.org rules completed.
    Extracting and installing Snort VRT rules...
    Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
    Installation of Snort VRT rules completed.
    Copying new config and map files...
    Updating rules configuration for: WAN ...
    Restarting Snort to activate the new set of rules...
    Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2013-04-26 15:31:11

    Snort is working fine and the Widget as well. The Auto generted list for suppress, works fine too. But, as you can see, we have a typo there: generted. ;)

    Thanks for all your effort and dedication, bmeeks.



  • @johnnybe:

    Snort is working fine and the Widget as well. The Auto generted list for suppress, works fine too. But, as you can see, we have a typo there: generted. ;)

    Thanks for all your effort and dedication, bmeeks.

    Thank you!  And I hate typos – that one escaped me this time, but it goes on my list for the future... ;D

    Bill



  • @bmeeks:

    Thank you!  And I hate typos – that one escaped me this time, but it goes on my list for the future... ;D

    Cool!  8)
    More important than that: Snort running fine.  :)



  • I just want to say that the snort package has never run so reliably and so polished EVER until now.

    Thanks Bill!!



  • @tester_02:

    I just want to say that the snort package has never run so reliably and so polished EVER until now.

    Thanks Bill!!

    That's great to hear!  Thank you for posting.

    Bill



  • Good news: Automatic updates haven't disable Snort. Same thing after manually hang the system. After power on it took about 10 minutes for full system up (6 minutes to have Snort running back).
    Flow bits is not enabled.
    System Spec:
    Intel(R) Atom(TM) CPU D510 @ 1.66GHz
    2G RAM
    HD Seagate Sata 7200rpm

    INSTALLED RULESET SIGNATURES
    SNORT.ORG
    EMERGINGTHREATS.NET
    SNORT GPLv2 COMMUNITY RULES

    I do have a few rules disabled.



  • I updated to 2.5.7, and I also removed I removed Widescreen
    I went fine, had to manually start snort but it is running ok

    The problem with the the top left pfsense logo link seems to be gone
    It now point to https://xxxxx/index.php in the snort page  ;D



  • Thanks bmeeks  ;D


Log in to reply