Snort 2.9.4.6 Pkg v 2.5.9
-
Snort 2.9.4.6
Update the Snort pfSense port to version 2.9.4.6 because the current 2.9.4.1 version goes EOL with rules updates on July 2, 2013. This port update should be merged in concert with the Snort GUI package update 2.5.9 in the pfsense-packages repository.
This update includes the config directives "–enable-targetbased" and "--enable-perfprofile". The target-based directive is required to support the new Host Attribute Table option being added to the 2.5.9 Snort GUI package.
CHANGE LOG
Snort Package v 2.5.9 Update
june 18, 2013This update introduces one new feature and improves on several existing ones. It also supports the updating of the underlying Snort binary code to version 2.9.4.6.
New Features
Support has been added for a Host Attribute Table. This feature allows the run-time import of specific network host attributes to provide auto-configuration of various Preprocessor and rule options. Tools such as nmap and hogger can be used in concert to scan your network, fingerprint all the hosts, and generate a Host Attribute Table file suitable for direct input to Snort. Snort will then auto-configure Preprocessor and rule options to tailor them to your specific network hosts.
Improved FeaturesThe automatic rule update start time is now configurable. Formerly, only the update interval was selectable. But now both the interval and starting time are configurable in the GUI. This change benefits users with multiple firewalls as it allows their updates to be staggered. The starting time must be entered in 24-hour form with hours and minutes only (as in HH:MM).
Two new icon links were added the RULES tab that either Enable All or Disable All rules in the selected category. The table on the RULES tab is also sortable. Clicking the headers will sort the column. The sort will toggle between ascending and descending on each click. A bookmark anchor has been added to each displayed rule row so that when clicking to enable or disable a particular rule, the page will auto-scroll upon return so the last-clicked rule is near the top of the page.
New icons have been added to the ALERTS tab in the SRC and DST IP address columns for displayed alerts. The plus (+) icon, when clicked, will auto-add the generator ID and signature ID (gid:sid) to the Suppression List for the interface using the "suppress gen_id, sig_id, track by_src ip …" or "suppress gen_id, sig_id, track by_src ip ..." form as applicable for source or destination addresses. As with the SID column icon, if the IP address is already in the Suppression List a disabled icon will be displayed instead. If the GID:SID by itself is in the Suppression List, then the event is suppressed globally and source or destination IP has no meaning. In this case, no plus (+) icon will be displayed under the SRC or DST columns.
The XMLRPC Sync process has been improved by moving the sync job on the remote target host to a background task. This greatly speeds up the sync process when a master must replicate to multiple secondary hosts. The master no longer waits for the entire synchronization process to complete on each target. Instead, the job is deposited on the target host and then executes in the background. The master is then free to proceed to the next target host.
Bug Fixes
The Snort GUI code was run through a HTML validator and several HTML syntax errors were corrected on the various pages. These errors were not materially impacting performance nor functionality, but cleaning them up was a good thing nonetheless.
A bug introduced in version 2.5.8 involving zero-length spaces was fixed in the SUPPRESS tab. When copying and pasting an IPv6 address from the ALERTS tab to a suppression list entry, the zero-length spaces used to signal word-break opportunities to the browser on the ALERTS tab were being copied into and then saved with the suppression list. This corrupted the list and produced a Snort error on restart. Now, prior to saving the list, the contents are scrubbed of any zero-length spaces.
Screenshots and explanations have been added here.
http://forum.pfsense.org/index.php/topic,63593.0.htmlUPDATE - JUNE 20th
For those with a
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.
It has been fixed, please uninstall then reinstall the snort package. For more details follow the link below.
http://forum.pfsense.org/index.php/topic,63568.msg344067.html#msg344067 -
sorry i was awake 8). Thanks for all the adds to the package. Noticed that in the Home Net to inspect tab, I set up a custom whitelist so only the wan ip would be checked but its still adding the lan subnet. In the Whitelist underneath External net, it does display correctly.
-
Thanks Bill,
Great update again.
I only have a small problem while updating pfSense firmware and this invokes also the Snort package update.
Attached is a screen dump of the console of my VM because I couldn't grab the text. Both my main system and VM had this error.
On my main system one of the sensors exited with code 11 after the firmware update. I deleted and reinstalled Snort (without the errors this time) and all is well now. I don't know if this had anything to do with the mentioned error. -
I have no idea how or why, but after the update my Snort interface uses 4 GB memory when before update it used ~2.7 GB. I have the same rules selected and I only did some minor changes to preprocessor memory settings where I tuned down some from 1024 MB to 64 MB. Performance setting is AC-NQ as it was before. Good thing I have 8 GB total memory :D
-
The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.
I had the 1st block just a couple of minutes ago.
-
The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.
I had the 1st block just a couple of minutes ago.
Darn it! Have not noticed that in my testing. Is the "WAN IP" checkbox checked for the whitelist, and is the WAN interface set to use something besides the default whitelist? Last check is to click the VIEW button next to the whitelist on the If Settings tab and see if the WAN IPs are included in it. Post back with the results
Bill
-
Thanks Bill,
Great update again.
I only have a small problem while updating pfSense firmware and this invokes also the Snort package update.
Attached is a screen dump of the console of my VM because I couldn't grab the text. Both my main system and VM had this error.
On my main system one of the sensors exited with code 11 after the firmware update. I deleted and reinstalled Snort (without the errors this time) and all is well now. I don't know if this had anything to do with the mentioned error.Changing from one Snort binary to the next update is best done with a "deinstall" and then "reinstall" operation. I've noticed that the pfSense Package Manager code seems to hold on to the older include file. That's what the error indicates on your system.
Bill
-
Important Snort Update Notice
This package includes an update of the Snort binary to version 2.9.4.6. It is highly recommended that you perform a "deinstall" and then "reinstall" operation to perform this update.
If you have 2.1RC0 and are about to do a Snapshot update, I highly recommend you perform the Snort package deinstall/reinstall procedure first, let that complete, and only then perform any 2.1 Snapshot update. The Snapshot updates reinstall packages as part of the process, and this can sometimes go badly when a major package update has been pushed. Better to remove and reinstall the packages first, then all the Snapshot will be doing is reinstalling the same package version. This is generally no problem.
Bill
-
-
I have no idea how or why, but after the update my Snort interface uses 4 GB memory when before update it used ~2.7 GB. I have the same rules selected and I only did some minor changes to preprocessor memory settings where I tuned down some from 1024 MB to 64 MB. Performance setting is AC-NQ as it was before. Good thing I have 8 GB total memory :D
There is a new version of the underlying Snort binary (2.9.4.6 versus 2.9.4.1 previously). That may have something to do with increased memory usage, but I don't know for sure.
Bill
-
Thats the way it has been done everytime.
Important Snort Update Notice
This package includes an update of the Snort binary to version 2.9.4.6. It is highly recommended that you perform a "deinstall" and then "reinstall" operation to perform this update.
If you have 2.1RC0 and are about the do a Snapshot update, I highly recommend you perform the Snort package deinstall/reinstall procedure first, let that complete, and only then perform any 2.1 Snapshot update.
Bill
-
Yes.
Go to the Snort Interfaces tab, click the WAN interface, then the WAN If Settings tab. Scroll down and click the VIEW button next to the whitelist selection. Verify that the correct WAN IPs are (or are not) displayed in the pop-up window and post back.
Bill
-
The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.
I had the 1st block just a couple of minutes ago.
As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!
-
They are there.
Yes.
Go to the Snort Interfaces tab, click the WAN interface, then the WAN If Settings tab. Scroll down and click the VIEW button next to the whitelist selection. Verify that the correct WAN IPs are (or are not) displayed in the pop-up window and post back.
Bill
-
THANKS Gogol!!
I am glad you are awake when I am not :D
The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.
I had the 1st block just a couple of minutes ago.
As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!
-
sorry i was awake 8). Thanks for all the adds to the package. Noticed that in the Home Net to inspect tab, I set up a custom whitelist so only the wan ip would be checked but its still adding the lan subnet. In the Whitelist underneath External net, it does display correctly.
Yes, this was by design. HOME_NET defines the networks to protect, so it should include locally attached subnets. The general premise in Snort is anything not in HOME_NET is a potential bad guy. Are you doing something unique that needs local nets excluded from HOME_NET?
Bill
-
THANKS Gogol!!
I am glad you are awake when I am not :D
The new snort package blocks whitelisted WAN IP's and the 2.5.8 didnt.
I had the 1st block just a couple of minutes ago.
As far as I can see in your pictures (a few posts later) WAN IP is not blocked, but has the new + sign to add it to the suppress list. When it is blocked it has also an X!
I missed the fact as well that it was the ALERTS tab you were showing. You will get displayed alerts for whitelisted IPs, but no blocks. The whitelist prevents blocks on alerts, but does not suppress the alerts themselves.
Bill
-
Thanks Bill! Another fantastic job from you!
-
sorry i was awake 8). Thanks for all the adds to the package. Noticed that in the Home Net to inspect tab, I set up a custom whitelist so only the wan ip would be checked but its still adding the lan subnet. In the Whitelist underneath External net, it does display correctly.
Yes, this was by design. HOME_NET defines the networks to protect, so it should include locally attached subnets. The general premise in Snort is anything not in HOME_NET is a potential bad guy. Are you doing something unique that needs local nets excluded from HOME_NET?
Bill
Nope nothing special, Just making sure its not a bug or anything.
I was only asking because of the WAN Variables. What ever i don't have running i try to set to the WAN ip so it doesn't it doesn't do the entire network(to try to increase performance). When the home_net didn't add the local network i could just leave all the variables blank, but i will just create an alias and define the servers manually.Thanks again
-
So i have been playing with the Host Attribute Table but cant seem to get it running correctly. I looked at a few examples but i keep getting
snort[****]: FATAL ERROR: /usr/local/etc/snort/snort_*_em0/snort.conf(253) Unknown config directive: max_attribute_hosts.Can anyone provide a example to put in the Host Attribute data with just one host