Snort Pkg 2.5.8 Change Log and Screenshots



  • Snort Package Updated to Version 2.5.8

    This release of the Snort Package fixes a few bugs and corrects some HTML CSS issues so Snort screens more closely match other pfSense screens.

    Bug Fixes

    1.  Fixed the generation of the default HOME_NET variable so it now correctly includes all locally-attached networks defined on the firewall interfaces. The entire subnet for locally-attached networks is now included. The WAN IP address, WAN gateway, WAN DNS Servers, VPNs and/or VIPs (virtual IPs) are also included by default. Optionally, these latter components may also be omitted. Formerly the entire WAN subnet was included in HOME_NET. This was not optimal and was changed to include just the WAN IP instead of the entire subnet.

    2.  Similar to the HOME_NET fix above, the default WHITELIST was also fixed to contain the entire subnet of all locally-attached firewall networks. It may also optionally contains WAN, VPN and VIP information as described for HOME_NET above.  See the attached screenshot of the new Whitelist Edit page.  Notice the new Local Networks option (selected by default).  This automatically includes all locally-attached networks defined on the firewall in the default Whitelist and HOME_NET.

    3.  Fixed various HTML code issues on several pages that caused problems with word-wrapping and column layout on some browsers (Firefox and Chrome).

    4.  Fixed minor bug on SNORT INTERFACES tab when attempting to delete an existing interface.

    Bill



  • Snort Package Updated to Version 2.5.8

    This release of the Snort Package introduces one significant change.

    Significant Change

    This version changes the icons associated with Snort "running" and "stopped' conditions in order to come in line with the theme used elsewhere in pfSense.  The new icons are shown in the attached screenshots.

    Bill






  • Snort Package Updated to Version 2.5.8

    This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    1.  New Tab layout  Thanks to forum member Marcelloc, Snort now sports a new multi-tier tab layout when you click to edit an interface.  This makes navigating around to the various pages easier.  See the attached screenshots.  In the attached image, the WAN interface was chosen to edit from the main Snort Interfaces tab.  That action then layers the tabs associated with the WAN interface edit functions underneath the main Snort tabs.

    2.  New SF_Portscan Options  Snort now includes new configurable options in the GUI for the SF_PORTSCAN preprocessor.  The options are shown in the attached screenshots.  They are Memory Cap, Scan Type and Scan Protocol.










  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    3.  New HTTP_INSPECT options  Four new HTTP_INSPECT preprocessor options are now configurable through the GUI.  These are "XFF/True-Client IP", "URI Logging", "Hostname Logging" and the HTTP_INSPECT Memory Cap.  See the attached screenshot.




  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    4.  New Frag3 Options  Several new configurable parameters for the Frag3 preprocessor are now available via the GUI.  See the attached screenshot.  Formerly these parameters were set to hard-coded defaults.  Now they are user-configurable to allow optimization for specific network environments and protected hosts.




  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    5.  Stream5 Options  Several new user-configurable Stream5 preprocessor parameters are now exposed in the Snort GUI.  See the attached screenshot.  As with the Frag3 preprocessor options mentioned above, these were formerly set to hard-coded defaults.  Now they are configurable by the user to suit different situations.

    6. Reset Preprocessors to Defaults  At the bottom of the Preprocessors tab there is now a Reset button that will return all the Preprocessor settings on the page to their default values.  This provides an easy way to return to the "out of the box" setup for the Snort preprocessors.






  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    7.  New "No Rules Configured" Warning  Snort now provides a warning notification icon on the Snort Interfaces tab whenever a Snort-configured interface is present but for which no enforcing rules have been defined.  See the attached screenshot.  This is to alert the user of a condition where Snort would not be offering protection for the interface (no defined rules equals nothing to alert and block on).

    8.  Style Overhaul for Rules Edit page  The Snort Rules Edit page has a bit of a style makeover to more closely match the other Snort pages.  One of the new features on this page is the addition of pop-up tooltip text that shows the full value of any truncated column values.  See the attached screenshot.






  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    9.  New Flowbits Page  The page for viewing auto-enabled flowbit-required rules was also redesigned to use the same style as the other Snort pages.  Additionally, the new page features a small plus icon (+) next to the SID for any flowbit rule that has the potential of generating an Alert.  These would be flowbit rules without the "no alert" option present in the rule options.  Clicking the plus icon (+) next to the SID will automatically add the flowbit rule's GID:SID to the Suppress List for the interface.

    The flowbits resolution logic in this version also correctly handles logical operations involving flowbits (bits and bats to use the unofficial terms).  When parsing flowbits options from rules the package now correctly identifies each individual bits or bats term from the logical operators and ensures the appropriate required flowbit rules are enabled.  See the Snort manual at http://manual.snort.org/node33.html#SECTION004610000000000000000 for more details on flowbits logical operators.




  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    10.  View Suppress List/Whitelist from Interface Edit page  On the Interface Edit tab you can now directly open up and view the associated Whitelist or Suppress List for the interface.  Next to the drop-down boxes for selecting a Whitelist or Suppress List there is a View List button.  Clicking this button will open the currently selected Whitelist or Suppress List in a small pop-up window for viewing.




  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    11.  New Alert tab Feature  The Alerts tab has a couple of significant changes.  One is a bug fix to enable proper column text wrapping without extending past the edge of the parent table.  The second change is a modification to an existing feature where you can click the plus icon (+) next to an alert to automatically add the GID:SID to the Suppress List for the interface.  Now, the icon changes color to indicate whether or not the GID:SID is already listed in the Suppress List.  If the icon is grayed-out, that means the GID:SID from the Alert is already present in the Suppress List and will not be generating Block Events.  See the attached screenshot.




  • This release of the Snort Package introduces some new features and polishes up some old ones a bit.

    New or Improved Features

    12.  New CARP Sync Feature  This version of the Snort package revives an old feature – the ability to synchronize the Snort configurations of several firewalls.  Thanks to forum member Marcelloc for the code behind this feature.  There is now a Sync tab on the main menu where you can select target destination hosts to receive copies of the configuration from a Master host.  This code is still considered experimental and may not be ready for production use.  Use at your own risk in a production environment.  However, for those brave souls willing to test the feature, we welcome feedback on your experiences (the good ones and the bad ones).

    Read the cautions and warnings on the page carefully!  You can create a fatal loop condition if you try to sync a master to a secondary and then that secondary back to the same master.  You should only have ONE master (the Master is the machine that is never a sync target).  When you enable this feature, you have the option of commanding the remote target hosts to download fresh rules during the sync process.  Be aware this will take several seconds to complete, and in this version of the sync code the Master host will wait until the remote target completes the rule download and local rebuild before proceeding.  This means the sync process can take a while if you have configured multiple target hosts.  The option to download fresh rules on sync is configurable.  In the future the plan is to spawn the rules download and rebuild process on the secondary target hosts as a background process so the Master does not have to wait.  For now, though, the Master will wait on each Secondary Host Target to complete the rules download and rebuild before proceeding.   You also have the option of automatically starting Snort on the remote host if it is not already running.  This Snort auto-start process is spawned off into the background at present and the Master will not wait on Snort to restart on the Secondary Targets.

    A decent amount of message logging is performed on the destination target hosts.  Look in the system log for messages tagged with:

    [snort] XMLRPC pkg sync:
    



  • Banned

    The community owes you SO much for this Bill!!

    We cannot thank you enough for this and all the time you have spent on bettering it and making it run stable on PfSense!



  • Thanks for your contributions bmeeks …. We salute you, and look forward to future security enhancements.



  • Thank you for adding the frag3 and stream5 settings to the gui.  I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

    But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.



  • @shinzo:

    Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

    But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

    The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

    Bill



  • I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02



  • @gogol:

    I think that Snort also has to be updated to 2.9.4.6 because EOL is approaching on 2013-07-02

    That is already on my radar.  I am working on that in my test setups now.  Having some trouble with my 2.1 Builder VM, and that has slowed me down on the Snort 2.9.4.6 effort.

    Bill



  • @bmeeks:

    @shinzo:

    Thank you for adding the frag3 and stream5 settings to the gui.   I have a idea, for the "target policy", maybe being able to bind let say 192.168.1.1 to bsd then x.x.x.2 to linux and 192.168.1.0/24 to windows?

    But thanks again.  The only reason i keep using pfsense is because of the wonderful updates to the snort package.

    The next update will hopefully really unlock the potential of the Frag3, Stream5 and HTTP_INSPECT preprocessors by letting you specify different configurations for different IP addresses.  Snort (the binary) allows this, but the GUI was just not originally set up that way.  It will take some restructuring of the Preprocessors tab to pull it off, but I think I can do it.  I have an idea for a type of table (similar to the Interfaces table on the Snort Interfaces tab) where you can add and edit various configuration "blocks" for different IP addresses or ranges for those preprocessors that support it.  So for example, you could define unique settings for different web servers, or different Stream5 or Frag3 settings for different IP networks protected by Snort.

    Bill

    thanks i look forward to it :D



  • Thanks for your continued work on this package Bill. I am really loving all the new features you have been incorporating into Snort.  Shout out to marcelloc too for assisting on some of the items.



  • hi, first of all thank you for this great package.

    i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

    so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

    i have basic allow rules like only safe ports allowed.
    i am using
    block any to any source spammers
    at bottom of all others rules. so i can block offenders.

    changes are below.

    results attached.
    thanks.

    /usr/local/pkg/snort/snort.inc

    
    global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename, $snortrmblocktable;
    
    $snortrmblocktable=$config['installedpackages']['snortglobal']['snortrmblocktable'];
    if(trim($snortrmblocktable)=="")
    	$snortrmblocktable="snort2c";
    
    
    
    function snort_get_blocked_ips() {
    	global $snortrmblocktable;
    	$blocked_ips = "";
    	exec("/sbin/pfctl -t $snortrmblocktable -T show", $blocked_ips);
    	$blocked_ips_array = array();
    	if (!empty($blocked_ips)) {
    		$blocked_ips_array = array();
    		if (is_array($blocked_ips)) {
    			foreach ($blocked_ips as $blocked_ip) {
    				if (empty($blocked_ip))
    					continue;
    				$blocked_ips_array[] = trim($blocked_ip, " \n\t");
    			}
    		}
    	}
    
    	return $blocked_ips_array;
    }
    
    
    
    function snort_rm_blocked_install_cron($should_install) {
    	global $config, $g, $snortrmblocktable;
    
    	if (!is_array($config['cron']['item']))
    		$config['cron']['item'] = array();
    
    	$x=0;
    	$is_installed = false;
    	foreach($config['cron']['item'] as $item) {
    		if (strstr($item['command'], "$snortrmblocktable")) {
    			$is_installed = true;
    			break;
    		}
    		$x++;
    	}
    .
    .
    .
    .
    	case true:
    		$cron_item = array();
    		$cron_item['minute'] = "$snort_rm_blocked_min";
    		$cron_item['hour'] = "$snort_rm_blocked_hr";
    		$cron_item['mday'] = "$snort_rm_blocked_mday";
    		$cron_item['month'] = "$snort_rm_blocked_month";
    		$cron_item['wday'] = "$snort_rm_blocked_wday";
    		$cron_item['who'] = "root";
    		$cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire $snortrmblocktable";
    
    		/* Add cron job if not already installed, else just update the existing one */
    		if (!$is_installed) 
    			$config['cron']['item'][] = $cron_item;
    		elseif ($is_installed)
    			$config['cron']['item'][$x] = $cron_item;
    		break;
    	case false:
    		if ($is_installed == true)
    			unset($config['cron']['item'][$x]);
    		break;
    	}
    }
    
    
    
    function snort_deinstall() {
    
    	global $config, $g, $snort_rules_upd_log, $snortrmblocktable;
    .
    .
    .
    /* Remove all the Snort cron jobs. */
    	snort_deinstall_cron("$snortrmblocktable");
    
    
    
    function snort_generate_conf($snortcfg) {
    
    	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $snortrmblocktable;
    .
    .
    .
    @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
    		$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},$snortrmblocktable,{$snortcfg['blockoffendersip']},{$pfkill}";
    
    

    /usr/local/www/snort/snort_blocked.php

    
    if ($_POST['todelete'] || $_GET['todelete']) {
    	$ip = "";
    	if($_POST['todelete'])
    		$ip = $_POST['todelete'];
    	else if($_GET['todelete'])
    		$ip = $_GET['todelete'];
    	if (is_ipaddr($ip))
    		exec("/sbin/pfctl -t $snortrmblocktable -T delete {$ip}");
    }
    
    if ($_POST['remove']) {
    	exec("/sbin/pfctl -t $snortrmblocktable -T flush");
    	header("Location: /snort/snort_blocked.php");
    	exit;
    }
    
    /* TODO: build a file with block ip and disc */
    if ($_POST['download'])
    {
    	$blocked_ips_array_save = "";
    	exec('/sbin/pfctl -t $snortrmblocktable -T show', $blocked_ips_array_save);
    
    

    /usr/local/www/snort/snort_interfaces_global.php

    
    $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
    $pconfig['snortrmblocktable'] = $config['installedpackages']['snortglobal']['snortrmblocktable'];
    
    
    
    		$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
    		$config['installedpackages']['snortglobal']['snortrmblocktable'] = $_POST['snortrmblocktable'];	
    
    
    
    	**', '**'); ?>
    
    				  ', ''); ?>
    
    







    ![blocked lists.png](/public/imported_attachments/1/blocked lists.png)
    ![blocked lists.png_thumb](/public/imported_attachments/1/blocked lists.png_thumb)



  • @asbirim:

    hi, first of all thank you for this great package.

    i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

    so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

    i have basic allow rules like only safe ports allowed.
    i am using
    block any to any source spammers
    at bottom of all others rules. so i can block offenders.

    I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

    Bill



  • @bmeeks:

    @asbirim:

    hi, first of all thank you for this great package.

    i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

    so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

    i have basic allow rules like only safe ports allowed.
    i am using
    block any to any source spammers
    at bottom of all others rules. so i can block offenders.

    I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

    Bill

    i was added screenshots about what i am tyring.

    i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

    sorry for bad english. i hope i can explain my solution.



  • @asbirim:

    @bmeeks:

    @asbirim:

    hi, first of all thank you for this great package.

    i was needed to block offenders but not all traffic just unknown traffic. eg. torrent, p2p.

    so i added a alias with name "spammers" and edited snort.inc, snort_interfaces_global.php and snort_blocked.php to change default snort2c alias.  can you add theese changes to package.

    i have basic allow rules like only safe ports allowed.
    i am using
    block any to any source spammers
    at bottom of all others rules. so i can block offenders.

    I'm not sure I fully understand what you are doing here.  Are you using custom Snort rules?

    Bill

    i was added screenshots about what i am tyring.

    i am trying to use snort blocked offenders list in an alias. so i can totally have control over them.  because snort2c is block hosts at the top of pfctl, and the hosts tottally blocked. but i want to log them and just block unkown traffic from them.

    sorry for bad english. i hope i can explain my solution.

    The proper way to do this would be with your own Custom Rules in Snort.  The current package gives you that capability.  You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

    Bill



  • @bmeeks:

    You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

    I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

    On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.



  • @marcelloc:

    @bmeeks:

    You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

    I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

    On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

    Oh…OK.  I wasn't initially understanding his intent.  I'm not sure this idea really fits into what Snort is about, though.  Sounds more like something for one of the other packages like pfBlocker perhaps.

    Bill