Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Package Wish List

    Scheduled Pinned Locked Moved pfSense Packages
    14 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort Package Enhancements Wish List

      OK, let's keep it reasonable and hopefully fairly easy to implement.  Reply with your ideas for the Snort Package Wish List.

      Here are mine.  These are definitely the next updates on my TODO list.

      1.  Update the Snort binary to version 2.9.4.6 (since 2.9.4.1 goes EOL on July 2, 2013).

      2.  Add Host Attribute Table (a.k.a target-based) support to the package.  For more about it, check out this article from Joel Esler.

      http://www.csoonline.com/article/546763/tuning-snort-with-host-attribute-tables

      If time permits, I would like to add multiple preprocessor engine support.  This will allow you to configure multiple instances of some preprocessors (for example HTTP_INSPECT) with different settings for different hosts.  The Host Attribute Table is one way to do this (see item #2 above), but I want to add this capability to the GUI as well.  A number of the preprocessors support multiple instances with different configurations per instance.

      The first priority, though, is getting the binary updated to 2.9.4.6.  That is pretty easy.  I already have it working in my test environment with no issues.

      Bill

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        2.9.4.6 is on freebsd ports.

        http://svnweb.freebsd.org/ports/head/security/snort/

        Ask on dev mailing list for a compile run for 2.0.x and 2.1. If it don't need  changes to compile args, it will be painless  :)

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @marcelloc:

          2.9.4.6 is on freebsd ports.

          http://svnweb.freebsd.org/ports/head/security/snort/

          Ask on dev mailing list for a compile run for 2.0.x and 2.1. If it do'nt need  changes to compile args, it will be painless  :)

          Thanks Marcelloc:

          I have a VMware environment of pfSense package builders and a package repository.  I have successfully updated the Snort port to 2.9.4.6 and built packages for both 2.0.3 and 2.1RC0.  I am adding the "–enable-targetbased" option to the config script.  I plan to submit a Pull Request for this update in the near future.

          Bill

          1 Reply Last reply Reply Quote 0
          • G
            gogol
            last edited by

            I have three wishes:

            • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

            • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

            • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaniously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

            1 Reply Last reply Reply Quote 0
            • C
              Clear-Pixel
              last edited by

              Chart/Graph for monitoring snort trend.

              How about a time line chart/graph for the dashboard showing the number and priority of threats being blocks?

              Might help to more easily detect a change in a trend.

              HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
              Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
              Single Ethernet Port - VLAN
              Cisco SG300 10-port Gigabit Managed Switch
              Cisco DPC3008 Cable Modem  30/4 Mbps
              Pfsense 2.1-RELEASE (amd64)
              –------------------------------------------------------------
              Total Network Power Consumption - 29 Watts

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @Clear-Pixel:

                Chart/Graph for monitoring snort trend.

                How about a time line chart/graph for the dashboard showing the number and priority of threats being blocks?

                Might help to more easily detect a change in a trend.

                That sounds more like something for the Snort Dashboard Widget instead of the main Snort package.  I don't know who is maintaining or updating the Snort Dashboard Widget these days.  Charting/graphing are not areas I have much programming experience in.  Perhaps another volunteer can come forward and add this to the Snort Dashboard Widget package.  It is an excellent suggestion, though.

                Bill

                1 Reply Last reply Reply Quote 0
                • C
                  Clear-Pixel
                  last edited by

                  Integrate a Snort Rule builder to help speed up the process of creating new rules?

                  HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                  Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                  Single Ethernet Port - VLAN
                  Cisco SG300 10-port Gigabit Managed Switch
                  Cisco DPC3008 Cable Modem  30/4 Mbps
                  Pfsense 2.1-RELEASE (amd64)
                  –------------------------------------------------------------
                  Total Network Power Consumption - 29 Watts

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @gogol:

                    I have three wishes:

                    • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

                    I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking.

                    @gogol:

                    • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

                    This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy.

                    @gogol:

                    • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

                    I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day?

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @Clear-Pixel:

                      Integrate a Snort Rule builder to help speed up the process of creating new rules?

                      Do you have some examples of an existing product (preferably open-source)?

                      I am adding Host Attribute Table support in the next release.  That goes a long way toward making Preprocessor customizations much easier to implement.  You scan your network with nmap and feed the fingerprints to hogger and it generates a file for auto-configuring the preprocessors.  Another alternative is to use the new PRADS passive detection system.  It can also generate the necessary file data to feed into Snort.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • C
                        Clear-Pixel
                        last edited by

                        I'm not a security expert nor a unix guru  :( but as you know and others on the board, there is much more to be desired on the IDS side of Pfsense and we realize your just one man and only can do so much for us.

                        I do know my HTML, CSS, PHP, Mysql and Jquery for website development  ;D….have dabbled in C++ VB and java when needed  ;).

                        Here is a video I found related to storing snort data to feed charts and graphs ( Windows 7 only but the principal should be the same )
                        http://www.youtube.com/watch?v=cpygT5IWmmI

                        http://sourceforge.net/projects/snortalertmon/

                        Video shows a windows app being used for snort rule creation and download link for app.
                        http://www.youtube.com/watch?v=4Eb8S-NK6f4

                        Who ever made the video is the developer .... Open Source ?

                        HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                        Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                        Single Ethernet Port - VLAN
                        Cisco SG300 10-port Gigabit Managed Switch
                        Cisco DPC3008 Cable Modem  30/4 Mbps
                        Pfsense 2.1-RELEASE (amd64)
                        –------------------------------------------------------------
                        Total Network Power Consumption - 29 Watts

                        1 Reply Last reply Reply Quote 0
                        • C
                          Clear-Pixel
                          last edited by

                          @bmeeks:

                          @Clear-Pixel:

                          Integrate a Snort Rule builder to help speed up the process of creating new rules?

                          Do you have some examples of an existing product (preferably open-source)?

                          I am adding Host Attribute Table support in the next release.  That goes a long way toward making Preprocessor customizations much easier to implement.  You scan your network with nmap and feed the fingerprints to hogger and it generates a file for auto-configuring the preprocessors.  Another alternative is to use the new PRADS passive detection system.  It can also generate the necessary file data to feed into Snort.

                          Bill

                          It sounds very productive …. I just don't have enough knowledge in this area.

                          HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                          Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                          Single Ethernet Port - VLAN
                          Cisco SG300 10-port Gigabit Managed Switch
                          Cisco DPC3008 Cable Modem  30/4 Mbps
                          Pfsense 2.1-RELEASE (amd64)
                          –------------------------------------------------------------
                          Total Network Power Consumption - 29 Watts

                          1 Reply Last reply Reply Quote 0
                          • S
                            shinzo
                            last edited by

                            In the config detection line, being able to disable/change "search-optimize" option through the gui. Everytime i reinstall the package, i have to go in and remove the line.  Also being able to modify the number of config paf_max number?.  just a thought :o.  Being able to disable all the rules in a catagory so i can turn on the few that i wanted. I used to go into the file and run ":%s/#alert/alert" then ":%s/alert/#alert" to be able to disable them but it got too time consuming

                            1 Reply Last reply Reply Quote 0
                            • C
                              Clear-Pixel
                              last edited by

                              @bmeeks:

                              2.  Add Host Attribute Table (a.k.a target-based) support to the package.  For more about it, check out this article from Joel Esler.

                              http://www.csoonline.com/article/546763/tuning-snort-with-host-attribute-tables

                              If time permits, I would like to add multiple preprocessor engine support.  This will allow you to configure multiple instances of some preprocessors (for example HTTP_INSPECT) with different settings for different hosts.  The Host Attribute Table is one way to do this (see item #2 above), but I want to add this capability to the GUI as well.  A number of the preprocessors support multiple instances with different configurations per instance.

                              The first priority, though, is getting the binary updated to 2.9.4.6.  That is pretty easy.  I already have it working in my test environment with no issues.

                              Bill

                              If I understood the article correctly …. what hit me about the Host Attribute Table method is what if the client was purposely programmed to respond back to the host with false data ... and snort rules are based on the web browser and bla bla bla etc.........if so, some snort rules would be compromised/bypassed?

                              HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
                              Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
                              Single Ethernet Port - VLAN
                              Cisco SG300 10-port Gigabit Managed Switch
                              Cisco DPC3008 Cable Modem  30/4 Mbps
                              Pfsense 2.1-RELEASE (amd64)
                              –------------------------------------------------------------
                              Total Network Power Consumption - 29 Watts

                              1 Reply Last reply Reply Quote 0
                              • G
                                gogol
                                last edited by

                                @bmeeks:

                                @gogol:

                                I have three wishes:

                                • When editing rules and after for instance disabling a rule the page reloads at the top and not where you were editing

                                I tried this once without much success.  It gets to be a real issue with the large rule sets.  I did add sorting columns in the last update to make it easier to locate a particular rule.  I can experiment with some other approaches.  It needs some type of dynamic bookmarking.

                                I didn't even notice that the columns could be sorted. That's already something to make life easier ;)

                                @bmeeks:

                                @gogol:

                                • Would it be possible to reload the snort2c table with the blocked IP addresses after it has been cleared by the system; fi snort is monitoring this table and writing it to /tmp?

                                This has come up from several users, but I really don't know a good way to do this.  Snort the binary does not and cannot monitor the table.  At least it can't without adding significant customized code to the baseline source code from Sourcefire.  I don't think that is wise because then staying current with updates becomes a big problem.  The GUI does not run fulltime either, and launching some kind of independent process in the background seems messy.

                                I also thought that another process would be needed. No problem.

                                @bmeeks:

                                @gogol:

                                • The rule update time is hardcoded in snort.inc as a function: snort_rules_up_install_cron. Now all those pfSense boxes in the same timezone connect simultaneously and that causes timeouts I guess, because when I change the time to something else I never get those timeouts. Can this be made a random time?

                                I can address this, but instead of random times how about the ability to set either the offset in minutes from the top of the hour, or set a specific time of day?

                                A specific time of the day has my preference, but the user must be remembered to set it at installation time. So not all pfSense boxes in a timezone try to connect at the same time. Maybe a small note for the user to explain.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.