Snort 2.9.4.6 pkg v2.6.0 Update
-
An update to the Snort package has been posted. This update fixes a few bugs and adds a handful of new features.
-
Fix for multiple Snort processes started on the same interface following a reboot.
-
Fix bug that prevented auto-adding an entry to an empty Suppress List.
-
Add check so auto-flowbits logic does not re-enable rules the user has manually disabled.
-
Update PORTVAR ports to match current defaults in snort.conf file from the Snort Team.
-
Rules update downloads will now use the system proxy server (if one is configured).
-
Add missing SSH preprocessor configuration directive to GUI and in snort.conf file.
-
Update several default settings for preprocessors including new settings for the SIP and FTP-Telnet preprocessors.
-
Can no longer delete an "in use" Suppress List. You must remove a list from all interfaces before deleting it.
-
Add downloaded filenames of the rules files to the Rules Update log output.
-
Add new icon to the ALERTS and BLOCKED tabs to perform a reverse DNS lookup on a displayed IP address entry. Also corrected alignment of the existing icons for adding Suppress List entries or removing Blocked Hosts.
-
Add logic to uniquely name Suppress Lists to prevent duplicate entries (lists with same name).
-
Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.
-
Fix assorted typos in source code and cleanup formatting of auto-generated snort.conf files.
The actual changes to the code files can be found here: https://github.com/pfsense/pfsense-packages/pull/514
Bill
-
-
Hey!
Just updated 3rd production box on 2.1.
Thanks again, the thing is flying now because just 1 process is created :) -
Hey!
Just updated 3rd production box on 2.1.
Thanks again, the thing is flying now because just 1 process is created :)Glad to hear things are improved by this update :)
For other users still on 2.0.3 –
The 2.0.3 binary packages also finished rebuilding and are now posted. This is the same Snort binary version as before (2.9.4.6), but it contains a fix for the SMTP preprocessor not correctly supporting a soft restart. The PBI package for 2.1 users already contains the new binary, so 2.1 users are good. If any 2.0.3 users updated Snort since yesterday, I suggest you do a quick remove and re-install to pick up the newest binary.Bill
-
In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected. :D
Thanks for the hard working for this update, Bill.
-
An update to the Snort package has been posted. This update fixes a few bugs and adds a handful of new features.
- Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.
The actual changes to the code files can be found here: https://github.com/pfsense/pfsense-packages/pull/514
Bill
Thanks Bill!! :)
-
An update to the Snort package has been posted. This update fixes a few bugs and adds a handful of new features.
- Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.
The actual changes to the code files can be found here: https://github.com/pfsense/pfsense-packages/pull/514
Bill
Thanks Bill!! :)
I thought this feature might be useful and popular, but it may be a little ragged around the edges on the first attempt. Let me know if you see any weird things. One user has already reported some duplicate IPs getting added to the whitelist.
Also realize that for now, these FQDN aliases are only resolved during a Snort startup. So they are not truly realtime yet.
Bill
-
In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected. :D
Thanks for the hard working for this update, Bill.
Not sure anything I changed would impact the memory footprint other than eliminating the duplicate processes.
Bill
-
Thanks for the update!
Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?
-
I'm on 2.5.9 and just upgraded to 2.1 on 32 bit. I have my block removal set to never remove, but I noticed several times that I have a large amount of alerts, but the blocked list gets reset frequently. I haven't powered down the box. Any suggestions? I plan on upgrading to 2.6 tonight, but just wondering if anyone else was experiencing this?
-
pfSense function filter_reload will clear the snort2c list, like mentioned on a gazillion threads since 2.1 was released :)
-
Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue. Thanks.
-
Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue. Thanks.
I don't think it is a bug in Snort so much as it is a change in behavior of 2.1 pfSense. I changed nothing in Snort relative to the blocking functions. In fact, those haven't changed in many, many months. Instead, 2.1 pfSense is doing something differently in regards to clearing the pf blocking tables.
I will investigate to see if there is anything I can do on the Snort side of things to cope with this.
Bill
-
Awesome. Thanks again for creating this package. It's a great one. What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?
-
Awesome. Thanks again for creating this package. It's a great one. What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?
I think the general feeling is the open-source Snort software and rules will survive despite the Cisco acquisition. But nobody really knows for sure but the Cisco bosses.
One minor correction. I did not create the Snort package on pfSense. That was the work of several others in the distant past. I just sort of became the default maintainer late in 2012 when I submitted some fixes and a few new features. Thanks for the kind words, though.
Bill
-
Thanks for the update!
Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?
Aliases live in the config.xml file and might be reloaded on a filter reload call. Don't now for sure, though. I can look through the pfBlocker package code and see where it stores its block list and how it protects it.
Bill
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
-
Well - If the Cisco acquisition of SNORT effects things and 90% or so of the group goes with Cisco, then get a new group. Call it something else and continue on. SNIFF (TM) is a good name…
And if the band you're in starts playing different tunes...
-
Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?
No I don't, but I also don't think it is necessarily on a regularly scheduled basis. I really don't know much about that process. Guess I need to dig in and learn.
Bill
-
I get this when trying to upgrade a 2.0.3 box…
Beginning package installation for snort...
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.12.tbz ... (extracting)Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ... could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
of barnyard2-1.12 failed!Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for mysql-client-5.5.30...done.
Starting package deletion for barnyard2-1.12...done.
Starting package deletion for libnet11-1.1.6,1...done.
Skipping package deletion for libdnet-1.11_3 because it is a dependency.
Starting package deletion for libpcap-1.3.0...done.
Starting package deletion for daq-2.0.0...done.
Starting package deletion for snort-2.9.4.6...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.Installation halted.
-
Supermule, how much do you pay for your connection a month or do you work at an ISP? That speed is nuts.
