Snort Package Wish List



  • Snort Package Enhancements Wish List

    OK, let's keep it reasonable and hopefully fairly easy to implement.  Reply with your ideas for the Snort Package Wish List.

    Here are mine.  These are definitely the next updates on my TODO list.

    1.  Update the Snort binary to version 2.9.4.6 (since 2.9.4.1 goes EOL on July 2, 2013).

    2.  Add Host Attribute Table (a.k.a target-based) support to the package.  For more about it, check out this article from Joel Esler.

    http://www.csoonline.com/article/546763/tuning-snort-with-host-attribute-tables

    If time permits, I would like to add multiple preprocessor engine support.  This will allow you to configure multiple instances of some preprocessors (for example HTTP_INSPECT) with different settings for different hosts.  The Host Attribute Table is one way to do this (see item #2 above), but I want to add this capability to the GUI as well.  A number of the preprocessors support multiple instances with different configurations per instance.

    The first priority, though, is getting the binary updated to 2.9.4.6.  That is pretty easy.  I already have it working in my test environment with no issues.

    Bill



  • 2.9.4.6 is on freebsd ports.

    http://svnweb.freebsd.org/ports/head/security/snort/

    Ask on dev mailing list for a compile run for 2.0.x and 2.1. If it don't need  changes to compile args, it will be painless  :)



  • @marcelloc:

    2.9.4.6 is on freebsd ports.

    http://svnweb.freebsd.org/ports/head/security/snort/

    Ask on dev mailing list for a compile run for 2.0.x and 2.1. If it do'nt need  changes to compile args, it will be painless  :)

    Thanks Marcelloc:

    I have a VMware environment of pfSense package builders and a package repository.  I have successfully updated the Snort port to 2.9.4.6 and built packages for both 2.0.3 and 2.1RC0.  I am adding the "–enable-targetbased" option to the config script.  I plan to submit a Pull Request for this update in the near future.

    Bill



  • I have three wishes:

    • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

    • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

    • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaniously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?



  • Chart/Graph for monitoring snort trend.

    How about a time line chart/graph for the dashboard showing the number and priority of threats being blocks?

    Might help to more easily detect a change in a trend.



  • @Clear-Pixel:

    Chart/Graph for monitoring snort trend.

    How about a time line chart/graph for the dashboard showing the number and priority of threats being blocks?

    Might help to more easily detect a change in a trend.

    That sounds more like something for the Snort Dashboard Widget instead of the main Snort package.  I don't know who is maintaining or updating the Snort Dashboard Widget these days.  Charting/graphing are not areas I have much programming experience in.  Perhaps another volunteer can come forward and add this to the Snort Dashboard Widget package.  It is an excellent suggestion, though.

    Bill



  • Integrate a Snort Rule builder to help speed up the process of creating new rules?



  • @gogol:

    I have three wishes:

    • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

    I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking.

    @gogol:

    • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

    This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy.

    @gogol:

    • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

    I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day?

    Bill



  • @Clear-Pixel:

    Integrate a Snort Rule builder to help speed up the process of creating new rules?

    Do you have some examples of an existing product (preferably open-source)?

    I am adding Host Attribute Table support in the next release.  That goes a long way toward making Preprocessor customizations much easier to implement.  You scan your network with nmap and feed the fingerprints to hogger and it generates a file for auto-configuring the preprocessors.  Another alternative is to use the new PRADS passive detection system.  It can also generate the necessary file data to feed into Snort.

    Bill



  • I'm not a security expert nor a unix guru  :( but as you know and others on the board, there is much more to be desired on the IDS side of Pfsense and we realize your just one man and only can do so much for us.

    I do know my HTML, CSS, PHP, Mysql and Jquery for website development  ;D….have dabbled in C++ VB and java when needed  ;).

    Here is a video I found related to storing snort data to feed charts and graphs ( Windows 7 only but the principal should be the same )
    http://www.youtube.com/watch?v=cpygT5IWmmI

    http://sourceforge.net/projects/snortalertmon/

    Video shows a windows app being used for snort rule creation and download link for app.
    http://www.youtube.com/watch?v=4Eb8S-NK6f4

    Who ever made the video is the developer .... Open Source ?



  • @bmeeks:

    @Clear-Pixel:

    Integrate a Snort Rule builder to help speed up the process of creating new rules?

    Do you have some examples of an existing product (preferably open-source)?

    I am adding Host Attribute Table support in the next release.  That goes a long way toward making Preprocessor customizations much easier to implement.  You scan your network with nmap and feed the fingerprints to hogger and it generates a file for auto-configuring the preprocessors.  Another alternative is to use the new PRADS passive detection system.  It can also generate the necessary file data to feed into Snort.

    Bill

    It sounds very productive …. I just don't have enough knowledge in this area.



  • In the config detection line, being able to disable/change "search-optimize" option through the gui. Everytime i reinstall the package, i have to go in and remove the line.  Also being able to modify the number of config paf_max number?.  just a thought :o.  Being able to disable all the rules in a catagory so i can turn on the few that i wanted. I used to go into the file and run ":%s/#alert/alert" then ":%s/alert/#alert" to be able to disable them but it got too time consuming



  • @bmeeks:

    2.  Add Host Attribute Table (a.k.a target-based) support to the package.  For more about it, check out this article from Joel Esler.

    http://www.csoonline.com/article/546763/tuning-snort-with-host-attribute-tables

    If time permits, I would like to add multiple preprocessor engine support.  This will allow you to configure multiple instances of some preprocessors (for example HTTP_INSPECT) with different settings for different hosts.  The Host Attribute Table is one way to do this (see item #2 above), but I want to add this capability to the GUI as well.  A number of the preprocessors support multiple instances with different configurations per instance.

    The first priority, though, is getting the binary updated to 2.9.4.6.  That is pretty easy.  I already have it working in my test environment with no issues.

    Bill

    If I understood the article correctly …. what hit me about the Host Attribute Table method is what if the client was purposely programmed to respond back to the host with false data ... and snort rules are based on the web browser and bla bla bla etc.........if so, some snort rules would be compromised/bypassed?



  • @bmeeks:

    @gogol:

    I have three wishes:

    • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

    I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking.

    I didn't even notice that the columns could be sorted. That's already something to make life easier ;)

    @bmeeks:

    @gogol:

    • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

    This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy.

    I also thought that another process would be needed. No problem.

    @bmeeks:

    @gogol:

    • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

    I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day?

    A specific time of the day has my preference, but the user must be remembered to set it at installation time. So not all pfSense boxes in a timezone try to connect at the same time. Maybe a small note for the user to explain.