Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Pkg 2.5.8 Change Log and Screenshots

    Scheduled Pinned Locked Moved pfSense Packages
    25 Posts 8 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort Package Updated to Version 2.5.8

      This release of the Snort Package fixes a few bugs and corrects some HTML CSS issues so Snort screens more closely match other pfSense screens.

      Bug Fixes

      1.  Fixed the generation of the default HOME_NET variable so it now correctly includes all locally-attached networks defined on the firewall interfaces. The entire subnet for locally-attached networks is now included. The WAN IP address, WAN gateway, WAN DNS Servers, VPNs and/or VIPs (virtual IPs) are also included by default. Optionally, these latter components may also be omitted. Formerly the entire WAN subnet was included in HOME_NET. This was not optimal and was changed to include just the WAN IP instead of the entire subnet.

      2.  Similar to the HOME_NET fix above, the default WHITELIST was also fixed to contain the entire subnet of all locally-attached firewall networks. It may also optionally contains WAN, VPN and VIP information as described for HOME_NET above.  See the attached screenshot of the new Whitelist Edit page.  Notice the new Local Networks option (selected by default).  This automatically includes all locally-attached networks defined on the firewall in the default Whitelist and HOME_NET.

      3.  Fixed various HTML code issues on several pages that caused problems with word-wrapping and column layout on some browsers (Firefox and Chrome).

      4.  Fixed minor bug on SNORT INTERFACES tab when attempting to delete an existing interface.

      Bill
      NewWhitelistEdit.jpg
      NewWhitelistEdit.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Snort Package Updated to Version 2.5.8

        This release of the Snort Package introduces one significant change.

        Significant Change

        This version changes the icons associated with Snort "running" and "stopped' conditions in order to come in line with the theme used elsewhere in pfSense.  The new icons are shown in the attached screenshots.

        Bill

        SnortRunningIcon.jpg
        SnortRunningIcon.jpg_thumb
        SnortStoppedIcon.jpg
        SnortStoppedIcon.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Snort Package Updated to Version 2.5.8

          This release of the Snort Package introduces some new features and polishes up some old ones a bit.

          New or Improved Features

          1.  New Tab layout  Thanks to forum member Marcelloc, Snort now sports a new multi-tier tab layout when you click to edit an interface.  This makes navigating around to the various pages easier.  See the attached screenshots.  In the attached image, the WAN interface was chosen to edit from the main Snort Interfaces tab.  That action then layers the tabs associated with the WAN interface edit functions underneath the main Snort tabs.

          2.  New SF_Portscan Options  Snort now includes new configurable options in the GUI for the SF_PORTSCAN preprocessor.  The options are shown in the attached screenshots.  They are Memory Cap, Scan Type and Scan Protocol.

          NewTabLayout.jpg
          NewTabLayout.jpg_thumb
          SfPortscanOptions.jpg
          SfPortscanOptions.jpg_thumb
          SfPortscanProtocols.jpg
          SfPortscanProtocols.jpg_thumb
          SfPortscanTypes.jpg
          SfPortscanTypes.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            This release of the Snort Package introduces some new features and polishes up some old ones a bit.

            New or Improved Features

            3.  New HTTP_INSPECT options  Four new HTTP_INSPECT preprocessor options are now configurable through the GUI.  These are "XFF/True-Client IP", "URI Logging", "Hostname Logging" and the HTTP_INSPECT Memory Cap.  See the attached screenshot.

            HttpInspectOptions.jpg
            HttpInspectOptions.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              This release of the Snort Package introduces some new features and polishes up some old ones a bit.

              New or Improved Features

              4.  New Frag3 Options  Several new configurable parameters for the Frag3 preprocessor are now available via the GUI.  See the attached screenshot.  Formerly these parameters were set to hard-coded defaults.  Now they are user-configurable to allow optimization for specific network environments and protected hosts.

              Frag3Options.jpg
              Frag3Options.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                New or Improved Features

                5.  Stream5 Options  Several new user-configurable Stream5 preprocessor parameters are now exposed in the Snort GUI.  See the attached screenshot.  As with the Frag3 preprocessor options mentioned above, these were formerly set to hard-coded defaults.  Now they are configurable by the user to suit different situations.

                6. Reset Preprocessors to Defaults  At the bottom of the Preprocessors tab there is now a Reset button that will return all the Preprocessor settings on the page to their default values.  This provides an easy way to return to the "out of the box" setup for the Snort preprocessors.

                Stream5Options.jpg
                Stream5Options.jpg_thumb
                PreprocessorResetToDefaultsBtn.jpg
                PreprocessorResetToDefaultsBtn.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                  New or Improved Features

                  7.  New "No Rules Configured" Warning  Snort now provides a warning notification icon on the Snort Interfaces tab whenever a Snort-configured interface is present but for which no enforcing rules have been defined.  See the attached screenshot.  This is to alert the user of a condition where Snort would not be offering protection for the interface (no defined rules equals nothing to alert and block on).

                  8.  Style Overhaul for Rules Edit page  The Snort Rules Edit page has a bit of a style makeover to more closely match the other Snort pages.  One of the new features on this page is the addition of pop-up tooltip text that shows the full value of any truncated column values.  See the attached screenshot.

                  InterfacesTabNorules.jpg
                  InterfacesTabNorules.jpg_thumb
                  NewRulesTabStyle.jpg
                  NewRulesTabStyle.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                    New or Improved Features

                    9.  New Flowbits Page  The page for viewing auto-enabled flowbit-required rules was also redesigned to use the same style as the other Snort pages.  Additionally, the new page features a small plus icon (+) next to the SID for any flowbit rule that has the potential of generating an Alert.  These would be flowbit rules without the "no alert" option present in the rule options.  Clicking the plus icon (+) next to the SID will automatically add the flowbit rule's GID:SID to the Suppress List for the interface.

                    The flowbits resolution logic in this version also correctly handles logical operations involving flowbits (bits and bats to use the unofficial terms).  When parsing flowbits options from rules the package now correctly identifies each individual bits or bats term from the logical operators and ensures the appropriate required flowbit rules are enabled.  See the Snort manual at http://manual.snort.org/node33.html#SECTION004610000000000000000 for more details on flowbits logical operators.

                    FlowbitsPageView.jpg
                    FlowbitsPageView.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                      New or Improved Features

                      10.  View Suppress List/Whitelist from Interface Edit page  On the Interface Edit tab you can now directly open up and view the associated Whitelist or Suppress List for the interface.  Next to the drop-down boxes for selecting a Whitelist or Suppress List there is a View List button.  Clicking this button will open the currently selected Whitelist or Suppress List in a small pop-up window for viewing.

                      HomeNet-Whitelist-Suppress-ViewBtns.jpg
                      HomeNet-Whitelist-Suppress-ViewBtns.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                        New or Improved Features

                        11.  New Alert tab Feature  The Alerts tab has a couple of significant changes.  One is a bug fix to enable proper column text wrapping without extending past the edge of the parent table.  The second change is a modification to an existing feature where you can click the plus icon (+) next to an alert to automatically add the GID:SID to the Suppress List for the interface.  Now, the icon changes color to indicate whether or not the GID:SID is already listed in the Suppress List.  If the icon is grayed-out, that means the GID:SID from the Alert is already present in the Suppress List and will not be generating Block Events.  See the attached screenshot.

                        AlertsTabSuppressIcons.jpg
                        AlertsTabSuppressIcons.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          This release of the Snort Package introduces some new features and polishes up some old ones a bit.

                          New or Improved Features

                          12.  New CARP Sync Feature  This version of the Snort package revives an old feature – the ability to synchronize the Snort configurations of several firewalls.  Thanks to forum member Marcelloc for the code behind this feature.  There is now a Sync tab on the main menu where you can select target destination hosts to receive copies of the configuration from a Master host.  This code is still considered experimental and may not be ready for production use.  Use at your own risk in a production environment.  However, for those brave souls willing to test the feature, we welcome feedback on your experiences (the good ones and the bad ones).

                          Read the cautions and warnings on the page carefully!  You can create a fatal loop condition if you try to sync a master to a secondary and then that secondary back to the same master.  You should only have ONE master (the Master is the machine that is never a sync target).  When you enable this feature, you have the option of commanding the remote target hosts to download fresh rules during the sync process.  Be aware this will take several seconds to complete, and in this version of the sync code the Master host will wait until the remote target completes the rule download and local rebuild before proceeding.  This means the sync process can take a while if you have configured multiple target hosts.  The option to download fresh rules on sync is configurable.  In the future the plan is to spawn the rules download and rebuild process on the secondary target hosts as a background process so the Master does not have to wait.  For now, though, the Master will wait on each Secondary Host Target to complete the rules download and rebuild before proceeding.   You also have the option of automatically starting Snort on the remote host if it is not already running.  This Snort auto-start process is spawned off into the background at present and the Master will not wait on Snort to restart on the Secondary Targets.

                          A decent amount of message logging is performed on the destination target hosts.  Look in the system log for messages tagged with:

                          [snort] XMLRPC pkg sync:
                          

                          SyncTab.jpg_thumb
                          SyncTab.jpg

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned
                            last edited by

                            The community owes you SO much for this Bill!!

                            We cannot thank you enough for this and all the time you have spent on bettering it and making it run stable on PfSense!

                            1 Reply Last reply Reply Quote 0
                            • C
                              Clear-Pixel
                              last edited by

                              Thanks for your contributions bmeeks …. We salute you, and look forward to future security enhancements.

                              HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                              Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                              Single Ethernet Port - VLAN
                              Cisco SG300 10-port Gigabit Managed Switch
                              Cisco DPC3008 Cable Modem  30/4 Mbps
                              Pfsense 2.1-RELEASE (amd64)
                              –------------------------------------------------------------
                              Total Network Power Consumption - 29 Watts

                              1 Reply Last reply Reply Quote 0
                              • S
                                shinzo
                                last edited by

                                Thank you for adding the frag3 and stream5 settings to the gui.  I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

                                But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @shinzo:

                                  Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

                                  But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

                                  The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    gogol
                                    last edited by

                                    I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @gogol:

                                      I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

                                      That is already on my radar.  I am working on that in my test setups now.  Having some trouble with my 2.1 Builder VM, and that has slowed me down on the Snort 2.9.4.6 effort.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        shinzo
                                        last edited by

                                        @bmeeks:

                                        @shinzo:

                                        Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

                                        But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

                                        The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

                                        Bill

                                        thanks i look forward to it :D

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kilthro
                                          last edited by

                                          Thanks for your continued work on this package Bill. I am really loving all the new features you have been incorporating into Snort.  Shout out to marcelloc too for assisting on some of the items.

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            asbirim
                                            last edited by

                                            hi, first of all thank you for this great package.

                                            i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

                                            so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

                                            i have basic allow rules like only safe ports allowed.
                                            i am using
                                            block any to any source spammers
                                            at bottom of all others rules. so i can block offenders.

                                            changes are below.

                                            results attached.
                                            thanks.

                                            /usr/local/pkg/snort/snort.inc

                                            
                                            global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename, $snortrmblocktable;
                                            
                                            $snortrmblocktable=$config['installedpackages']['snortglobal']['snortrmblocktable'];
                                            if(trim($snortrmblocktable)=="")
                                            	$snortrmblocktable="snort2c";
                                            
                                            
                                            
                                            function snort_get_blocked_ips() {
                                            	global $snortrmblocktable;
                                            	$blocked_ips = "";
                                            	exec("/sbin/pfctl -t $snortrmblocktable -T show", $blocked_ips);
                                            	$blocked_ips_array = array();
                                            	if (!empty($blocked_ips)) {
                                            		$blocked_ips_array = array();
                                            		if (is_array($blocked_ips)) {
                                            			foreach ($blocked_ips as $blocked_ip) {
                                            				if (empty($blocked_ip))
                                            					continue;
                                            				$blocked_ips_array[] = trim($blocked_ip, " \n\t");
                                            			}
                                            		}
                                            	}
                                            
                                            	return $blocked_ips_array;
                                            }
                                            
                                            
                                            
                                            function snort_rm_blocked_install_cron($should_install) {
                                            	global $config, $g, $snortrmblocktable;
                                            
                                            	if (!is_array($config['cron']['item']))
                                            		$config['cron']['item'] = array();
                                            
                                            	$x=0;
                                            	$is_installed = false;
                                            	foreach($config['cron']['item'] as $item) {
                                            		if (strstr($item['command'], "$snortrmblocktable")) {
                                            			$is_installed = true;
                                            			break;
                                            		}
                                            		$x++;
                                            	}
                                            .
                                            .
                                            .
                                            .
                                            	case true:
                                            		$cron_item = array();
                                            		$cron_item['minute'] = "$snort_rm_blocked_min";
                                            		$cron_item['hour'] = "$snort_rm_blocked_hr";
                                            		$cron_item['mday'] = "$snort_rm_blocked_mday";
                                            		$cron_item['month'] = "$snort_rm_blocked_month";
                                            		$cron_item['wday'] = "$snort_rm_blocked_wday";
                                            		$cron_item['who'] = "root";
                                            		$cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire $snortrmblocktable";
                                            
                                            		/* Add cron job if not already installed, else just update the existing one */
                                            		if (!$is_installed) 
                                            			$config['cron']['item'][] = $cron_item;
                                            		elseif ($is_installed)
                                            			$config['cron']['item'][$x] = $cron_item;
                                            		break;
                                            	case false:
                                            		if ($is_installed == true)
                                            			unset($config['cron']['item'][$x]);
                                            		break;
                                            	}
                                            }
                                            
                                            
                                            
                                            function snort_deinstall() {
                                            
                                            	global $config, $g, $snort_rules_upd_log, $snortrmblocktable;
                                            .
                                            .
                                            .
                                            /* Remove all the Snort cron jobs. */
                                            	snort_deinstall_cron("$snortrmblocktable");
                                            
                                            
                                            
                                            function snort_generate_conf($snortcfg) {
                                            
                                            	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $snortrmblocktable;
                                            .
                                            .
                                            .
                                            @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
                                            		$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},$snortrmblocktable,{$snortcfg['blockoffendersip']},{$pfkill}";
                                            
                                            

                                            /usr/local/www/snort/snort_blocked.php

                                            
                                            if ($_POST['todelete'] || $_GET['todelete']) {
                                            	$ip = "";
                                            	if($_POST['todelete'])
                                            		$ip = $_POST['todelete'];
                                            	else if($_GET['todelete'])
                                            		$ip = $_GET['todelete'];
                                            	if (is_ipaddr($ip))
                                            		exec("/sbin/pfctl -t $snortrmblocktable -T delete {$ip}");
                                            }
                                            
                                            if ($_POST['remove']) {
                                            	exec("/sbin/pfctl -t $snortrmblocktable -T flush");
                                            	header("Location: /snort/snort_blocked.php");
                                            	exit;
                                            }
                                            
                                            /* TODO: build a file with block ip and disc */
                                            if ($_POST['download'])
                                            {
                                            	$blocked_ips_array_save = "";
                                            	exec('/sbin/pfctl -t $snortrmblocktable -T show', $blocked_ips_array_save);
                                            
                                            

                                            /usr/local/www/snort/snort_interfaces_global.php

                                            
                                            $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
                                            $pconfig['snortrmblocktable'] = $config['installedpackages']['snortglobal']['snortrmblocktable'];
                                            
                                            
                                            
                                            		$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
                                            		$config['installedpackages']['snortglobal']['snortrmblocktable'] = $_POST['snortrmblocktable'];	
                                            
                                            
                                            
                                            	**', '**'); ?>
                                            
                                            				  ', ''); ?>
                                            
                                            

                                            aliasess.png
                                            aliasess.png_thumb
                                            rules.png
                                            rules.png_thumb
                                            global_settings.png
                                            global_settings.png_thumb
                                            ![blocked lists.png](/public/imported_attachments/1/blocked lists.png)
                                            ![blocked lists.png_thumb](/public/imported_attachments/1/blocked lists.png_thumb)
                                            tables.png
                                            tables.png_thumb

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.