Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.4.6 Pkg v 2.5.9 - New Feature Screenshots and Explanation

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 1 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      Snort 2.9.4.6 Pkg ver 2.5.9

      The Snort package has been updated. The underlying Snort binary is now 2.9.4.6.  The GUI package is now 2.5.9.  This post and the next few demonstrate some of the new additions to the Snort package with screenshots and a brief explanation.  Full details on the changes and bug fixes in this release, along with a discussion thread, can be found here:  http://forum.pfsense.org/index.php/topic,63568.msg343739.html#msg343739

      Rules Update Start Time

      The Rules Update start time is now configurable within the GUI.  In the past only the update interval was selectable.  The start time was hard-coded at 00:03 (3 minutes past midnight).  An often requested feature from users running more than one install of Snort and pfSense was the ability to stagger the automatic rule updates.

      As you see in the attached image, the Global Settings tab now sports a new Rules Update Settings section where you can select both the update interval and the starting time.  So for example, you can set the interval to 12 hours and the start time to 01:15 (time is in 24-hour format, HH:MM).  The rule update job will then execute at 01:15 and 13:15 each day.

      RulesUpdateStartTime.jpg
      RulesUpdateStartTime.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Snort 2.9.4.6 Pkg ver 2.5.9

        New Detection Performance Settings

        Continuing an idea that began with package 2.5.7, more and more formerly hard-coded configuration settings are now configurable via the GUI.  Package version 2.5.9 introduces a number of configurable options for the Detection engine in Snort.  These are available on the If Settings tab

        The Split-ANY-ANY, Search-Optimize and No-Stream-Inserts parameters can be customized to suit your network environment and traffic.  See the screen shot attached below.  The defaults reflect the formerly hard-coded values.  So if you have no need to tweak these settings, leaving them at their defaults will produce the exact same setup as the older Snort packages.

        NewDetectionPerformanceSettings.jpg
        NewDetectionPerformanceSettings.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Snort 2.9.4.6 Pkg ver 2.5.9

          Host Attribute Table Support

          This version introduces Host Attribute Table support.  This feature has been a part of most Snort installations for quite some time, but was absent in the pfSense implementation.  The Host Attribute Table is a Snort construct that allows you to scan your network with other tools (such as nmap) and "fingerprint" the hosts.  This fingerprint data is then used to generate customized preprocessor settings in Snort tailored to the assets being protected.  Two popular tools for automatically generating the correct Host Attribute Table file are hogger and PRADS.  More information on the Host Attribute Table can be found in the Snort manual hosted on Snort.org.

          The Host Attribute Table configuration is located on the Preprocessors tab.  You have the option of either importing a pre-formatted file containing host attribute data, or directly entering the data using the Snort GUI.  Importing from a file is the recommended approach.  The controls in this configuration area are disabled until the "Enable" check box is checked.

          NewHostAttributeTablePreprocessorSetting.jpg
          NewHostAttributeTablePreprocessorSetting.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Snort 2.9.4.6 Pkg ver 2.5.9

            Enable All / Disable All Rules in a Category

            Another requested feature was the ability to quickly enable all or disable all the rules in a selected category on the Rules tab.  That capability is now included.  Two new icons are available on the Rules tab.  One forces all the rules in the selected category to be "enabled", and the other forces them all to be "disabled".

            Another feature added to this page is a bookmark anchor that allows you to return to the same area of your last edit.  So if you are marking several rules in a long list of rules, each time you click on a rule to enable or disable it, the page will return to approximately the same area with the previously clicked rule auto-scrolled into view near the top of the page.  Also note the column headers on this tab are clickable and will alternate sorting in ascending or descending order when clicked.

            NewEnableDisableAllCategoryRules.jpg
            NewEnableDisableAllCategoryRules.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              Snort 2.9.4.6 Pkg ver 2.5.9

              Auto-Add Suppression Rules for Track By Source or Track By Destination from Alerts tab

              Additional icons will now show up on the Alerts tab under the SRC and DST columns for displayed alerts.  A plus (+) icon will appear under an IP address in the SRC or DST columns.  Clicking the plus (+) icon will automatically add the IP to the Suppress List for the interface using the "track by src ip" or "track by dst ip " form.  If the IP address is already present in the Suppress List, then a disabled icon will be displayed.

              This gives you three ways to suppress alerts.  By SRC IP, by DST IP, or by GID:SID.  The third method (by GID:SID) is global in that it will suppress the alert regardless of source or destination.  For this reason, when a global suppress list entry containing only the GID:SID with no other qualifiers is present, then no plus (+) icon will displayed for that alert under the SRC or DST columns.  This is because in the case of a globally suppressed alert, the IP addresses are irrelevant.

              Note also in the screen shot below that (X) icons are also displayed.  These have been available for quite some time in the GUI.  When present, they indicate the IP address is currently being blocked.  Clicking the (X) icon will remove the IP address from the blocking table.

              NewAlertsOptions.jpg
              NewAlertsOptions.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.