Snort 2.9.4.6 Pkg v 2.5.9 - New Feature Screenshots and Explanation

bmeeks

Snort 2.9.4.6 Pkg ver 2.5.9

The Snort package has been updated. The underlying Snort binary is now 2.9.4.6.  The GUI package is now 2.5.9.  This post and the next few demonstrate some of the new additions to the Snort package with screenshots and a brief explanation.  Full details on the changes and bug fixes in this release, along with a discussion thread, can be found here:  http://forum.pfsense.org/index.php/topic,63568.msg343739.html#msg343739

Rules Update Start Time

The Rules Update start time is now configurable within the GUI.  In the past only the update interval was selectable.  The start time was hard-coded at 00:03 (3 minutes past midnight).  An often requested feature from users running more than one install of Snort and pfSense was the ability to stagger the automatic rule updates.

As you see in the attached image, the Global Settings tab now sports a new Rules Update Settings section where you can select both the update interval and the starting time.  So for example, you can set the interval to 12 hours and the start time to 01:15 (time is in 24-hour format, HH:MM).  The rule update job will then execute at 01:15 and 13:15 each day.

bmeeks

Snort 2.9.4.6 Pkg ver 2.5.9

New Detection Performance Settings

Continuing an idea that began with package 2.5.7, more and more formerly hard-coded configuration settings are now configurable via the GUI.  Package version 2.5.9 introduces a number of configurable options for the Detection engine in Snort.  These are available on the If Settings tab

The Split-ANY-ANY, Search-Optimize and No-Stream-Inserts parameters can be customized to suit your network environment and traffic.  See the screen shot attached below.  The defaults reflect the formerly hard-coded values.  So if you have no need to tweak these settings, leaving them at their defaults will produce the exact same setup as the older Snort packages.

bmeeks

Snort 2.9.4.6 Pkg ver 2.5.9

Host Attribute Table Support

This version introduces Host Attribute Table support.  This feature has been a part of most Snort installations for quite some time, but was absent in the pfSense implementation.  The Host Attribute Table is a Snort construct that allows you to scan your network with other tools (such as nmap) and "fingerprint" the hosts.  This fingerprint data is then used to generate customized preprocessor settings in Snort tailored to the assets being protected.  Two popular tools for automatically generating the correct Host Attribute Table file are hogger and PRADS.  More information on the Host Attribute Table can be found in the Snort manual hosted on Snort.org.

The Host Attribute Table configuration is located on the Preprocessors tab.  You have the option of either importing a pre-formatted file containing host attribute data, or directly entering the data using the Snort GUI.  Importing from a file is the recommended approach.  The controls in this configuration area are disabled until the "Enable" check box is checked.

bmeeks

Snort 2.9.4.6 Pkg ver 2.5.9

Enable All / Disable All Rules in a Category

Another requested feature was the ability to quickly enable all or disable all the rules in a selected category on the Rules tab.  That capability is now included.  Two new icons are available on the Rules tab.  One forces all the rules in the selected category to be "enabled", and the other forces them all to be "disabled".

Another feature added to this page is a bookmark anchor that allows you to return to the same area of your last edit.  So if you are marking several rules in a long list of rules, each time you click on a rule to enable or disable it, the page will return to approximately the same area with the previously clicked rule auto-scrolled into view near the top of the page.  Also note the column headers on this tab are clickable and will alternate sorting in ascending or descending order when clicked.

bmeeks

Snort 2.9.4.6 Pkg ver 2.5.9

Auto-Add Suppression Rules for Track By Source or Track By Destination from Alerts tab

Additional icons will now show up on the Alerts tab under the SRC and DST columns for displayed alerts.  A plus (+) icon will appear under an IP address in the SRC or DST columns.  Clicking the plus (+) icon will automatically add the IP to the Suppress List for the interface using the "track by src ip" or "track by dst ip " form.  If the IP address is already present in the Suppress List, then a disabled icon will be displayed.

This gives you three ways to suppress alerts.  By SRC IP, by DST IP, or by GID:SID.  The third method (by GID:SID) is global in that it will suppress the alert regardless of source or destination.  For this reason, when a global suppress list entry containing only the GID:SID with no other qualifiers is present, then no plus (+) icon will displayed for that alert under the SRC or DST columns.  This is because in the case of a globally suppressed alert, the IP addresses are irrelevant.

Note also in the screen shot below that (X) icons are also displayed.  These have been available for quite some time in the GUI.  When present, they indicate the IP address is currently being blocked.  Clicking the (X) icon will remove the IP address from the blocking table.