Snort 2.9.4.6 pkg v2.6.0 Update



  • An update to the Snort package has been posted.  This update fixes a few bugs and adds a handful of new features.

    • Fix for multiple Snort processes started on the same interface following a reboot.

    • Fix bug that prevented auto-adding an entry to an empty Suppress List.

    • Add check so auto-flowbits logic does not re-enable rules the user has manually disabled.

    • Update PORTVAR ports to match current defaults in snort.conf file from the Snort Team.

    • Rules update downloads will now use the system proxy server (if one is configured).

    • Add missing SSH preprocessor configuration directive to GUI and in snort.conf file.

    • Update several default settings for preprocessors including new settings for the SIP and FTP-Telnet preprocessors.

    • Can no longer delete an "in use" Suppress List. You must remove a list from all interfaces before deleting it.

    • Add downloaded filenames of the rules files to the Rules Update log output.

    • Add new icon to the ALERTS and BLOCKED tabs to perform a reverse DNS lookup on a displayed IP address entry. Also corrected alignment of the existing icons for adding Suppress List entries or removing Blocked Hosts.

    • Add logic to uniquely name Suppress Lists to prevent duplicate entries (lists with same name).

    • Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.

    • Fix assorted typos in source code and cleanup formatting of auto-generated snort.conf files.

    The actual changes to the code files can be found here:  https://github.com/pfsense/pfsense-packages/pull/514

    Bill



  • Hey!

    Just updated 3rd production box on 2.1.
    Thanks again, the thing is flying now because just 1 process is created :)



  • @maverick_slo:

    Hey!

    Just updated 3rd production box on 2.1.
    Thanks again, the thing is flying now because just 1 process is created :)

    Glad to hear things are improved by this update  :)

    For other users still on 2.0.3 –
    The 2.0.3 binary packages also finished rebuilding and are now posted.  This is the same Snort binary version as before (2.9.4.6), but it contains a fix for the SMTP preprocessor not correctly supporting a soft restart.  The PBI package for 2.1 users already contains the new binary, so 2.1 users are good.  If any 2.0.3 users updated Snort since yesterday, I suggest you do a quick remove and re-install to pick up the newest binary.

    Bill



  • In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected.  :D

    Thanks for the hard working for this update, Bill.



  • @bmeeks:

    An update to the Snort package has been posted.  This update fixes a few bugs and adds a handful of new features.

    • Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.

    The actual changes to the code files can be found here:  https://github.com/pfsense/pfsense-packages/pull/514

    Bill

    Thanks Bill!! :)



  • @ccb056:

    @bmeeks:

    An update to the Snort package has been posted.  This update fixes a few bugs and adds a handful of new features.

    • Add native Snort GUI function for resolving and unpacking Aliases so that FQDN Aliases can be correctly resolved and used in the configuration.

    The actual changes to the code files can be found here:  https://github.com/pfsense/pfsense-packages/pull/514

    Bill

    Thanks Bill!! :)

    I thought this feature might be useful and popular, but it may be a little ragged around the edges on the first attempt.  Let me know if you see any weird things.  One user has already reported some duplicate IPs getting added to the whitelist.

    Also realize that for now, these FQDN aliases are only resolved during a Snort startup.  So they are not truly realtime yet.

    Bill



  • @pfSenseRocks:

    In addition to working great with no duplicates, Memory utilization reduced by about 800MB in general. Not complaining but trying to figure out if it is expected.  :D

    Thanks for the hard working for this update, Bill.

    Not sure anything I changed would impact the memory footprint other than eliminating the duplicate processes.

    Bill



  • Thanks for the update!

    Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?



  • I'm on 2.5.9 and just upgraded to 2.1 on 32 bit.  I have my block removal set to never remove, but I noticed several times that I have a large amount of alerts, but the blocked list gets reset frequently.  I haven't powered down the box.  Any suggestions? I plan on upgrading to 2.6 tonight, but just wondering if anyone else was experiencing this?



  • pfSense function filter_reload will clear the snort2c list, like mentioned on a gazillion threads since 2.1 was released :)



  • Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue.  Thanks.



  • @newbieuser1234:

    Thanks, so this is a bug I take it, or how is there something I can do to fix this? When I search the forums I only find 2 posts on the issue.  Thanks.

    I don't think it is a bug in Snort so much as it is a change in behavior of 2.1 pfSense.  I changed nothing in Snort relative to the blocking functions.  In fact, those haven't changed in many, many months.  Instead, 2.1 pfSense is doing something differently in regards to clearing the pf blocking tables.

    I will investigate to see if there is anything I can do on the Snort side of things to cope with this.

    Bill



  • Awesome. Thanks again for creating this package. It's a great one.  What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?



  • @newbieuser1234:

    Awesome. Thanks again for creating this package. It's a great one.  What do you think will happen with Cisco's acquisition of Sourcefire? Do you think it will effect the availability or your package?

    I think the general feeling is the open-source Snort software and rules will survive despite the Cisco acquisition.  But nobody really knows for sure but the Cisco bosses.

    One minor correction.  I did not create the Snort package on pfSense.  That was the work of several others in the distant past.  I just sort of became the default maintainer late in 2012 when I submitted some fixes and a few new features.  Thanks for the kind words, though.

    Bill



  • @fragged:

    Thanks for the update!

    Additional to upcoming binary update, would it be possible to make snort2c list persist through filter_reload? pfBlocker lists, aliases, etc. persist through it, why doesn't snort2c?

    Aliases live in the config.xml file and might be reloaded on a filter reload call.  Don't now for sure, though.  I can look through the pfBlocker package code and see where it stores its block list and how it protects it.

    Bill



  • Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?



  • Well - If the Cisco acquisition of SNORT effects things and 90% or so of the group goes with Cisco, then get a new group.  Call it something else and continue on.  SNIFF (TM) is a good name…

    And if the band you're in starts playing different tunes...



  • @newbieuser1234:

    Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?

    No I don't, but I also don't think it is necessarily on a regularly scheduled basis.  I really don't know much about that process.  Guess I need to dig in and learn.

    Bill


  • Banned

    I get this when trying to upgrade a 2.0.3 box…

    Beginning package installation for snort...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies...
    Checking for package installation...
    Downloading http://files.pfsense.org/packages/8/All/barnyard2-1.12.tbz ...  (extracting)

    Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
    of barnyard2-1.12 failed!

    Installation aborted.Backing up libraries...
    Removing package...
    Starting package deletion for mysql-client-5.5.30...done.
    Starting package deletion for barnyard2-1.12...done.
    Starting package deletion for libnet11-1.1.6,1...done.
    Skipping package deletion for libdnet-1.11_3 because it is a dependency.
    Starting package deletion for libpcap-1.3.0...done.
    Starting package deletion for daq-2.0.0...done.
    Starting package deletion for snort-2.9.4.6...done.
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Include file snort.inc could not be found for inclusion.
    Deinstall commands...
    Not executing custom deinstall hook because an include is missing.
    Removing package instructions...done.
    Auxiliary files... done.
    Package XML... done.
    Configuration... done.
    Cleaning up... Failed to install package.

    Installation halted.



  • Supermule, how much do you pay for your connection a month or do you work at an ISP?  That speed is nuts.


  • Banned

    :D That is what I offer to my clients in my VDI environment.

    All sitting on 10Gbit backbone direct to the internet exchange :)

    @newbieuser1234:

    Supermule, how much do you pay for your connection a month or do you work at an ISP?  That speed is nuts.



  • @Supermule:

    I get this when trying to upgrade a 2.0.3 box…

    Beginning package installation for snort...
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading snort and its dependencies...
    Checking for package installation...

    Downloading http://files.pfsense.org/packages/8/All/mysql-client-5.5.33.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/mysql-client-5.5.33.tbz.
    of barnyard2-1.12 failed!

    ...

    Installation aborted.Backing up libraries...
    Cleaning up... Failed to install package.

    Installation halted.

    jimp mentioned in an e-mail exchange with me that the 2.0.3 package builders had some issues with updates to the Ports.  That's why the rollout of the updated binary was delayed a bit.  Looks like the builder used a newer MySQL client package (5.5.33 instead of 5.5.30) than what is specified in the pkg_config.8.xml file.  I'll pass this along to jimp.  He should be able to fix it up easy enough.

    I looked at files.pfsense.org and MySQL client packages are there for 5.5.30, 5.5.32, and 5.5.34.  But no version 5.5.33, so something must have gone weird with the package builder.  The pfSense guys should be able to get it sorted out.  I've sent a note to them alerting them of the issue.

    Bill


  • Banned

    Damn nice Bill!!


  • Banned

    Pls. notify when package is ready to install :)



  • @Supermule:

    Pls. notify when package is ready to install :)

    Got a reply back from jimp.  He says it should be OK now.  Give it a try and let me know if you still have problems.

    Bill


  • Banned

    Its running and blocking!!

    THAAAAAAAAAAAAAAAAAANK YOU!! :-*



  • @Supermule:

    Its running and blocking!!

    THAAAAAAAAAAAAAAAAAANK YOU!! :-*

    OK! Thanks for the feedback.

    There is one small bug uncovered thus far with the new FQDN Alias support.  I worked that one with another user who successfully tested a fix.  I will hold up pushing out that update while I wait to see if anything else surfaces.  That bug is sort of minor and only affects folks using the FQDN Alias with a particular configuration.

    Bill


  • Banned

    No worries! I will provide peadback asap if something pops up!



  • Thanks for the updates/fixes Bill!! Snort is running pretty smooth and no dup processes =D



  • Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
    All interfaces get the same fatal error:

    FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.

    pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60

    Reinstalling the package gives the same error.



  • @digdug3:

    Updated fine a few days ago, but today Snort won't start on all of my three interfaces.
    All interfaces get the same fatal error:

    FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_35802_em2/snort.conf(194) => Invalid port number.

    pfSense 2.1 i386 snort 2.9.4.6 pkg v2.60

    Reinstalling the package gives the same error.

    Sounds like maybe something is corrupted in your configuration.  Get a console prompt and open that file in vi.  Goto line 194 and see what is shown.  Post the results back if you can.  The error message gives the offending line number in the text.  It is 194 in this case.  Did you make any changes to the configuration or edit any Aliases that may be referenced in Snort?

    Bill



  • No, no changes. Even put back the backup from a day before, same problems.

    Here are the lines at #194 (all interfaces hang at the same line):
    Line 194 is in bold:

    preprocessor ftp_telnet_protocol: ftp server default
    ….
    ....
        cmd_validity STRU < char FRP >
        cmd_validity ALLO < int [ char R int ] >
        cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
        cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >
        cmd_validity PORT < host_port >

    preprocessor ftp_telnet_protocol: ftp client default
      max_resp_len 256
      bounce yes
      ignore_telnet_erase_cmds yes
      telnet_cmds yes



  • Ok, found the problem… (Thanks for hinting me about the aliases)
    In v2.0.3 I added the FTP ports alias:
    20,21 AND 15002:15018

    That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).

    After removing the port range the interfaces all started again.



  • @digdug3:

    Ok, found the problem… (Thanks for hinting me about the aliases)
    In v2.0.3 I added the FTP ports alias:
    20,21 AND 15002:15018

    That last one (with the semicolom) isn't supported anymore for the FTP preprocessor in the last version of the Snort package(?).

    After removing the port range the interfaces all started again.

    Probably my bad with the last update.  The port range should work.  Post back exactly what your Alias looks like and let me reproduce the condition in my test VMs so I can fix it.

    Thanks for reporting it,

    Bill



  • Here is the alias as attachment.




  • @digdug3:

    Here is the alias as attachment.

    Thanks for the information.  It will be a few days, but I will see if I can fix this.  I have some other conflicting activities the next few days.

    Bill



  • Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
    I think it is more important to fix the snort blocking issues in pfsense 2.1



  • @digdug3:

    Take your time. Workaround was simple. Just add the ports one by one in the alias and all was working again.
    I think it is more important to fix the snort blocking issues in pfsense 2.1

    Ermal has committed to take a run at that soon.  He did confirm the problem is with the filter_reload() code and not in the Snort package itself.  The bad news in this good news is that means an update to pfSense itself, so we are probably looking at 2.1.1 or something for the fix.

    Bill


  • Banned

    Then I wished they would incoporate the widescreen theme as well since it makes pfsense much better!



  • @bmeeks:

    @newbieuser1234:

    Do you know roughly how often the filter_reload happens? Snort still blocks effectively correct, just allows the offending IP to attack again after the filter_reload happens?

    No I don't, but I also don't think it is necessarily on a regularly scheduled basis.  I really don't know much about that process.  Guess I need to dig in and learn.

    Bill

    Filter reload is done every 15 mins.

    From /etc/crontab :

    
    0,15,30,45      *       *       *       *       root    /etc/rc.filter_configure_sync                                                                        
    
    

    Each time filter_configure_sync is called, the snort2c table is cleared:

    
    [2.1-RELEASE][root@necro.necronet.local]/root(6): pfctl -t snort2c -T show
       209.31.45.2
    [2.1-RELEASE][root@necro.necronet.local]/root(7): /etc/rc.filter_configure_sync
    [2.1-RELEASE][root@necro.necronet.local]/root(8): pfctl -t snort2c -T show
    
    

Log in to reply