Snort 2.9.4.6 pkg v2.6.1
-
An updated Snort package is now available. Release notes are below.
Bill
Snort Package v2.6.1 New Features
This update adds support for the Emerging Threats Pro ruleset to the Snort package. The ETPro ruleset is mutually exclusive to the Emerging Threats Open (ETOpen) ruleset. Because the ETPro ruleset contains all of the ETOpen rules in addition to a number of others, it is not necessary to run both rulesets simultaneously. When the ETPro ruleset is selected, the ETOpen ruleset is automatically disabled. ETPro rules require a paid subscription through the Emerging Threats service. You must enter your ETPro subscription code as part of the configuration.
Tool Tip pop-ups now appear for form field textboxes in the Snort GUI where Aliases are used as the value. The Tool Tip pop up displays the resolved string value of the Alias when you hover your mouse over the textbox.
Automatically enabled Flowbit Rules can now be selected on the RULES tab the same as any other rules category. You can manually disable auto-flowbit rules if you have good reason for doing so, but the recommended method for dealing with unwanted alerts from auto-flowbit rules is to add a Suppress List entry instead. Disabling an auto-flowbit rule can result in unintended consequences including a reduction in overall protection. You need to fully understand the role of auto-flowbit rules in Snort and their impact on the security posture before choosing to disable one! A link is now provided on the RULES tab page when "Auto-Flowbit Rules" is the selected category for adding a Suppress List entry.
–----------------------------------------------------------------------
IMPORTANT -- Snort Package Functionality Change
------------------------------------------------------------------------Snort package update 2.6.0 introduced limited support for using Fully-Qualified-Domain-Name (FQDN) Aliases in some configuration parameters. This required a pair of package-specific custom functions for resolving FQDN Aliases because the built-in pfSense function does not support resolving FQDN Aliases. The Core Team package review rejected adding these two custom functions in the Snort package; therefore they have been backed out, and support for FQDN Aliases has currently been removed from the Snort package. This functionality may return in a later update when a suitable method exists natively in pfSense to allow packages to resolve FQDN Aliases. You can still use Host, Network and Port Aliases in Snort configurations. The only limitation is that any Host Aliases must be defined with specific IP addresses and must not be FQDN hosts.
Snort Package Bug Fixes
Port Aliases containing port ranges (such as 137:139, etc.) in their value were not being expanded into the full list of individual ports prior to being written to certain preprocessor configuration lines in the snort.conf file.
The Download buttons on the ALERTS and BLOCKED tabs now function properly to download the alert logs and blocked IP address lists. The downloaded file is a gzipped UNIX tar archive (*.tar.gz).
-
Thanks Bill!
Did the core team give any reason for wanting to break FQDN support?
-
Thanks Bill!
Did the core team give any reason for wanting to break FQDN support?
They were worried about extra work for the filterdns process and some other internals of pfSense. I think some improvements may come along later that will let FQDN support back into Snort and other packages. Of course the FQDN support that was there in 2.6.0 was very limited and definitely nowhere near realtime. The Aliases were only evaluated and updated on a Snort restart when the snort.conf file was rebuilt. So that is another reason for not including the support since it really does not work like FQDNs do in other parts of pfSense (meaning the Alias values do not get updated on the 5-minute interval).
Bill
-
I vaguely remember something about fixing the update log file formatting. Was this change made in this version or the planned 2.7 package version with new binary? My log file still looks rather horrible (see picture).
-
It looks fine to me. :(
how do you imagine a better way to see a text file?
-
Looks like it has duplicate lines and
other formatting issuesodd line order. Or possibly the Snort update process is acting up on my system. -
Looks like it has duplicate lines and
other formatting issuesodd line order. Or possibly the Snort update process is acting up on my system.I think the update process is somehow borked on your setup. I have never seen that in my testing environment nor on my production system. Can you look in /etc/crontab and see if more than one Snort rule update job is in there? There should be just a single line calling snort_check_for_rule_updates.php. From the looks of that log file, it does appear multiple processes are trying to write to it at the same time or something.
Another thing to check is that you don't have multiple duplicate Snort processes running on the same interface. That was a problem some back that was supposed to be fixed in the 2.6.0 update. Execute this command and see if you see any duplicate lines in the output. If you do, shutdown Snort, then kill any remaining Snort processes and restart. You can also reboot the firewall if desired.
ps -ax | grep snortBill
-
I nuked my Snort setup and I'm currently setting up things again. The first rules update log looks much better. Before I didn't even get the update finished line.
Starting rules update... Time: 2013-11-07 18:15:50 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2946.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading Emerging Threats Open rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Warning: No interfaces configured for Snort were found... The Rules update has finished. Time: 2013-11-07 18:16:51 -
I nuked my Snort setup and I'm currently setting up things again. The first rules update log looks much better. Before I didn't even get the update finished line.
Starting rules update... Time: 2013-11-07 18:15:50 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2946.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading Emerging Threats Open rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Copying new config and map files... Warning: No interfaces configured for Snort were found... The Rules update has finished. Time: 2013-11-07 18:16:51Yep…that log file looks normal. I don't know what could have been going on with your previous install. Let me know if things mess up again.
Bill
-
I have seen this before on a previous install a few releases ago (multiple update attempts in sequence).
An uninstall then fresh install fixed it.
-
And my Snort seems to be all crazy again. Only one Snort process running at the moment and Cron looks good also with just one copy of snort_check_for_rule_updates.php
Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03Edit:
I'm also seeing other things going off three times instead of once, what in the system could be causing this? I'm on pfSense:
Version 2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD 8.3-RELEASE-p11Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 11 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 24 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 39 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. -
Hi Bill. Would it be a good option to increase the snort widget number of rows to 10 or 20 and make it update in a fixed interval of 10 secs independently of the entire dashboard GUI?
To refresh the dashboard, I need to refresh the entire GUI and change the default autoscale back to follow on a number of interfaces.
-
Hi Bill. Would it be a good option to increase the snort widget number of rows to 10 or 20 and make it update in a fixed interval of 10 secs independently of the entire dashboard GUI?
To refresh the dashboard, I need to refresh the entire GUI and change the default autoscale back to follow on a number of interfaces.
I don't know about the refresh stuff. The Dashboard Widget for Snort was written by someone else. I can study it a bit and see if I can understand better how it works. I've only made a couple of really small tweaks to it. Perhaps a configuration link could be added like some of the other widgets have (the Services widget is one that comes to mind). That would let a user set their own configuration preferences. Not promising anything until I can get into and understand that code better, though.
Bill
-
And my Snort seems to be all crazy again. Only one Snort process running at the moment and Cron looks good also with just one copy of snort_check_for_rule_updates.php
Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Starting rules update... Time: 2013-11-08 12:20:01 Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Snort VRT md5 file... Snort VRT rules are up to date. Downloading Emerging Threats Open md5 file 'emerging.rules.tar.gz.md5'... Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03 Checking Emerging Threats Open md5. Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2013-11-08 12:20:03Edit:
I'm also seeing other things going off three times instead of once, what in the system could be causing this? I'm on pfSense:
Version 2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD 8.3-RELEASE-p11Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:39 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:24 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblocktor does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeretRBNmalvertisers does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerMalwaredomainlistcom does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerCIArmy does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockwebexploit does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockerblockspyware does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: pfBlockeriblockhijacked does not need updated. Nov 8 12:30:11 php: rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 11 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 24 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Sleeping for 39 seconds. Nov 8 12:30:00 php: rc.update_urltables: /etc/rc.update_urltables: Starting up.Fragged:
I really don't know what is going on with your setup. Something is definitely weird. Did you remove just Snort? I'm wondering if something is off in either your config.xml file or even with the base pfSense install itself. The fact other packages are showing duplicate or triplicate log entries points to something other than just the Snort package.
Bill
-
I have done a complete reinstall + recovery of my settings.xml and so far so good, though there haven't been any Snort or ET rules updates yet. There must have been something wrong with my base pfSense setup, which I've had from 2.0.3 -> 2.1 snapshots -> 2.1 release.
-
I am running Snort 2.9.4.6 pkg v. 2.6.1 and have set the WAN Interface to Block Offenders and Kill State. Its set to block the SRC.
I am also using an IPS program called "Security Onion" which also uses Snort and it has captured the same packets that were supposed to be Blocked at pfSense level.
Is this normal? or am I missing some configurations?
-
@BBcan17:
I am running Snort 2.9.4.6 pkg v. 2.6.1 and have set the WAN Interface to Block Offenders and Kill State. Its set to block the SRC.
I am also using an IPS program called "Security Onion" which also uses Snort and it has captured the same packets that were supposed to be Blocked at pfSense level.
Is this normal? or am I missing some configurations?
Make sure of two things.
First, both Snort on pfSense and the Security Onion appliance, ensure the exact same rules are being used. Also verify and scrub the hits you see on Security Onion against the auto-whitelist in Snort. Could be you are seeing packets captured on Onion that matched the whitelist in Snort (and thus were not blocked) on ingress.
Second, my recommendation is to operate Snort blocking in the BOTH mode (that is, block source and destination IP addresses).
Bill
-
Hello Bill,
Please see the screenshots below. You can see the alert and the block in pfsense. There is no entry in the Whitelist WAN or LAN for this Wan IP or Sig ID. The Alert is also
in Security Onion with the same Sig ID. This alert is a false positive but it should still have blocked it.I have also attached the full packet capture from Security Onion. I changed the ext to .TXT (Hope it attaches properly)
If I block both the SRC and DST wont that kill the ability for the alerted LAN address to access the Net?
If you need any further details please let me know.
[Wireshark 11-20-13.txt](/public/imported_attachments/1/Wireshark 11-20-13.txt)
-
Screen shot didnt attach. Please see attached jpg file.
-
@BBcan17:
Hello Bill,
If I block both the SRC and DST wont that kill the ability for the alerted LAN address to access the Net?
If you need any further details please let me know.
No, the auto-whitelist will keep it from actually blocking the LAN addresses. This is because locally attached networks like the LAN are automatically added to the whitelist. By choosing BOTH for the block parameter, this catches an offending IP no matter which way the traffic is flowing. However, this setting is only for blocking. The alerting in the logs is not dependent on that setting.
Bill
