Snort 2.9.4.6 Pkg v 2.5.9

gogol

Thanks Bill,

Great update again.
I only have a small problem while updating pfSense firmware and this invokes also the Snort package update.
Attached is a screen dump of the console of my VM because I couldn't grab the text. Both my main system and VM had this error.
On my main system one of the sensors exited with code 11 after the firmware update. I deleted and reinstalled Snort (without the errors this time) and all is well now. I don't know if this had anything to do with the mentioned error.

SnortError.jpg_thumb

fragged

I have no idea how or why, but after the update my Snort interface uses 4 GB memory when before update it used ~2.7 GB. I have the same rules selected and I only did some minor changes to preprocessor memory settings where I tuned down some from 1024 MB to 64 MB. Performance setting is AC-NQ as it was before. Good thing I have 8 GB total memory :D

Supermule

The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.

I had the 1st block just a couple of minutes ago.

bmeeks

@Supermule:

The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.

I had the 1st block just a couple of minutes ago.

Darn it! Have not noticed that in my testing. Is the "WAN IP" checkbox checked for the whitelist, and is the WAN interface set to use something besides the default whitelist? Last check is to click the VIEW button next to the whitelist on the If Settings tab and see if the WAN IPs are included in it. Post back with the results

Bill

bmeeks

@gogol:

Thanks Bill,

Great update again.
I only have a small problem while updating pfSense firmware and this invokes also the Snort package update.
Attached is a screen dump of the console of my VM because I couldn't grab the text. Both my main system and VM had this error.
On my main system one of the sensors exited with code 11 after the firmware update. I deleted and reinstalled Snort (without the errors this time) and all is well now. I don't know if this had anything to do with the mentioned error.

Changing from one Snort binary to the next update is best done with a "deinstall" and then "reinstall" operation. I've noticed that the pfSense Package Manager code seems to hold on to the older include file. That's what the error indicates on your system.

Bill

bmeeks

Important Snort Update Notice

This package includes an update of the Snort binary to version 2.9.4.6. It is highly recommended that you perform a "deinstall" and then "reinstall" operation to perform this update.

If you have 2.1RC0 and are about to do a Snapshot update, I highly recommend you perform the Snort package deinstall/reinstall procedure first, let that complete, and only then perform any 2.1 Snapshot update. The Snapshot updates reinstall packages as part of the process, and this can sometimes go badly when a major package update has been pushed. Better to remove and reinstall the packages first, then all the Snapshot will be doing is reinstalling the same package version. This is generally no problem.

Bill

Supermule

Yes.

Snort1.jpg_thumb

Snort_whitelist.jpg_thumb

bmeeks

@fragged:

I have no idea how or why, but after the update my Snort interface uses 4 GB memory when before update it used ~2.7 GB. I have the same rules selected and I only did some minor changes to preprocessor memory settings where I tuned down some from 1024 MB to 64 MB. Performance setting is AC-NQ as it was before. Good thing I have 8 GB total memory :D

There is a new version of the underlying Snort binary (2.9.4.6 versus 2.9.4.1 previously). That may have something to do with increased memory usage, but I don't know for sure.

Bill

Supermule

Thats the way it has been done everytime.

@bmeeks:

Important Snort Update Notice

This package includes an update of the Snort binary to version 2.9.4.6. It is highly recommended that you perform a "deinstall" and then "reinstall" operation to perform this update.

If you have 2.1RC0 and are about the do a Snapshot update, I highly recommend you perform the Snort package deinstall/reinstall procedure first, let that complete, and only then perform any 2.1 Snapshot update.

Bill

bmeeks

@Supermule:

Yes.

Go to the Snort Interfaces tab, click the WAN interface, then the WAN If Settings tab. Scroll down and click the VIEW button next to the whitelist selection. Verify that the correct WAN IPs are (or are not) displayed in the pop-up window and post back.

Bill

gogol

@Supermule:

The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.

I had the 1st block just a couple of minutes ago.

As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!

Supermule

They are there.

@bmeeks:

@Supermule:

Yes.

Go to the Snort Interfaces tab, click the WAN interface, then the WAN If Settings tab. Scroll down and click the VIEW button next to the whitelist selection. Verify that the correct WAN IPs are (or are not) displayed in the pop-up window and post back.

Bill

Supermule

THANKS Gogol!!

I am glad you are awake when I am not :D

@gogol:

@Supermule:

The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.

I had the 1st block just a couple of minutes ago.

As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!

bmeeks

@shinzo:

sorry i was awake 8). Thanks for all the adds to the package. Noticed that in the Home Net to inspect tab, I set up a custom whitelist so only the wan ip would be checked but its still adding the lan subnet. In the Whitelist underneath External net, it does display correctly.

Yes, this was by design. HOME_NET defines the networks to protect, so it should include locally attached subnets. The general premise in Snort is anything not in HOME_NET is a potential bad guy. Are you doing something unique that needs local nets excluded from HOME_NET?

Bill

bmeeks

@Supermule:

THANKS Gogol!!

I am glad you are awake when I am not :D

@gogol:

@Supermule:

The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.

I had the 1st block just a couple of minutes ago.

As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!

I missed the fact as well that it was the ALERTS tab you were showing. You will get displayed alerts for whitelisted IPs, but no blocks. The whitelist prevents blocks on alerts, but does not suppress the alerts themselves.

Bill

Supermule

Thanks Bill! Another fantastic job from you!

shinzo

@bmeeks:

@shinzo:

sorry i was awake 8). Thanks for all the adds to the package. Noticed that in the Home Net to inspect tab, I set up a custom whitelist so only the wan ip would be checked but its still adding the lan subnet. In the Whitelist underneath External net, it does display correctly.

Yes, this was by design. HOME_NET defines the networks to protect, so it should include locally attached subnets. The general premise in Snort is anything not in HOME_NET is a potential bad guy. Are you doing something unique that needs local nets excluded from HOME_NET?

Bill

Nope nothing special, Just making sure its not a bug or anything.
I was only asking because of the WAN Variables. What ever i don't have running i try to set to the WAN ip so it doesn't it doesn't do the entire network(to try to increase performance). When the home_net didn't add the local network i could just leave all the variables blank, but i will just create an alias and define the servers manually.

Thanks again

shinzo

So i have been playing with the Host Attribute Table but cant seem to get it running correctly. I looked at a few examples but i keep getting
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

Can anyone provide a example to put in the Host Attribute data with just one host

bmeeks

@shinzo:

So i have been playing with the Host Attribute Table but cant seem to get it running correctly. I looked at a few examples but i keep getting
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.

Can anyone provide a example to put in the Host Attribute data with just one host

I had this running in my VMware setup using a sample table Joel Esler posted in an article from several months back. Let me run a quick check and make sure something is not fat-fingered in my code. Your error indicates the feature is not being recognized by the binary, or there is syntax error in the snort.conf file.

UPDATE: It works in my VMware setup using the sample file attached to this post. Are you positive that your Snort binary got updated? Check by getting to the command line on the firewall and running this command:

/usr/local/bin/snort -V

This will print the version of the Snort binary. It should say 2.9.4.6. Also, there will be some lines down near the bottom of the snort.conf file for the interface that should look like these (although your path will be different for a 2.0.3 box):

# Host Attribute Table #
attribute_table filename /usr/pbi/snort-i386/etc/snort/snort_64703_em0/host_attributes
config max_attribute_hosts: 10000
config max_attribute_services_per_host: 10

Bill

HostAttributeTableSetup.txt

shinzo

I imported the file and it was a no go, i changed the ip to the subnet i was on and nothing also.

The version is correct. The path is /usr/local/etc/snort/snort_59927_em0/host_attributes which is correct also