Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes



  • Snort 2.9.5.5 pkg v3.0.1
    Change Log

    This Snort package update is a minor bug fix release only. No new features are added.

    Bug Fixes

    • Removed dependence on session variables in the Alias selection code associated with multi-engine configurations on the PREPROCESSORS tab. Also changed the way the referrer was transferred to the Alias selection page. This should fix issues on some browsers when returning to the original calling page with selected aliases.

    • Ensure reasonable defaults are set for the new SDF (Sensitive Data) preprocessor options introduced in version 3.0.0 of the package. Formerly, if the new values were not set and users had the SDF preprocessor enabled, Snort would error out on startup.

    • Updated the valid FTP server commands in the snort.conf file to match the latest defaults posted at http://www.snort.org/vrt/snort-conf-configurations/. Also added the MFMT command as a valid FTP command per user request.

    Bill



  • Umm.. After the 3.0.0 update I now see "snort" as installed package with no version information and "Snort" as an available package with version 3.0.1? How do I get the package manager to see that I do indeed have Snort 3.0.0 installed right now?



  • @fragged:

    Umm.. After the 3.0.0 update I now see "snort" as installed package with no version information and "Snort" as an available package with version 3.0.1? How do I get the package manager to see that I do indeed have Snort 3.0.0 installed right now?

    Yeah, this will be fixed in a moment I hope.  I used "Snort" in the package name instead of "snort" with lowercase.  I've posted the fix and am waiting for one of the Core Team guys to quickly merge it.

    For now I will remove the update notice and repost when the fix is posted.

    Sorry,
    Bill



  • Works now :)



  • @fragged:

    Works now :)

    Yep.  Thanks to jimp who saved the day for me with an emergency merge.

    Bill



  • It also looks like my Snort interfaces now start much faster?!



  • @digdug3:

    It also looks like my Snort interfaces now start much faster?!

    That could be a 2.9.5.5 Snort binary benefit.  There is really nothing that changed in the GUI code that should impact that.  I noticed that my interfaces also seem to start faster.  Of course I also recently updated my hardware from an Atom to an Intel i3 3.3 GHz processor, so that may also have a lot to do with it on my end.

    Bill



  • Hi,

    when installing this package I get this error:

    snort[44829]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-amd64/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

    I have tried to uninstall, reboot and install several times with no luck.



  • @cappiz:

    Hi,

    when installing this package I get this error:

    snort[44829]: FATAL ERROR: The dynamic detection library "/usr/pbi/snort-amd64/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so" version 1.0 compiled with dynamic engine library version 1.0 isn't compatible with the current dynamic engine library "/usr/pbi/snort-amd64/lib/snort/dynamicengine/libsf_engine.so" version 1.17.

    I have tried to uninstall, reboot and install several times with no luck.

    This generally indicates an old copy of the shared object rules around someplace.  I'm surprised because this shouldn't happen on 2.1 pfSense with PBI.  Tell me if this was originally a 2.0.x box upgraded to 2.1.

    As for the fix, try these steps.

    • Remove the Snort package by clicking the X icon beside the Snort package on the Installed Packages tab.

    • When the package deletion completes, open a console session to the firewall and exit to the shell prompt.  Type the command rm -rf /usr/local/lib/snort

    • Now install Snort again by going to Available Packages and choosing it.

    If you still have trouble, then gather some troubleshooting information for me.  From a console session, issue the command:

    snort -V
    

    and tell me what version it prints.

    Bill



  • Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?


  • Banned

    It does here on all firewalls. (show entries from 01/01/14)

    Running 2.0.3 with the latest Snort.



  • Same here "fragged" on 2.1 x64.  I'm sure within the next day all will be fine.



  • On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.



  • … and the problem flows through to the Dashboard Widget, resulting in the most current alerts not being displayed.


  • Banned

    As said….not an issue on 2.0.3 for me.



  • @fragged:

    On a closer look no matter how I arrange by date, it's always backwards for 2014 vs 2013. Must be a bug in the sorting piece of code or something.

    I checked on my production firewall and indeed the default sort appears to be putting the December 31, 2013 events above the January 2014 events.  However, you can click the DATE column header on the Alerts tab and sort the alerts so the January 01, 2014 events are at the top.  See the screenshot below showing the sorted list.  This is from a 2.1-RELEASE pfSense firewall.

    Bill



  • Banned

    On 2.0.3 it seems fine Bill.




  • @Supermule:

    On 2.0.3 it seems fine Bill.

    OK.  I just edited/replaced my original reply above with updated info.  I will check the Dashboard Widget next on 2.1.

    Bill



  • OK, found a "sort of fix" for the Snort Alerts Dashboard Widget.  It keys off the "sort setting" for the System Log.  If you have your system log entries displaying in reverse order, then the Snort Alerts Widget sorts the same way.  If you toggle System Log entries to display in "normal order", then the Snort Alerts Widget sorts correctly.

    The problem here is, I think, in the sorting logic of the System Log.  When toggled to display in "reverse" (that is, newest entries displayed first), it sorts the leading zero improperly in the timestamp.  The same problem is copied over into the Snort Widget code by the original author.

    Bill


  • Banned

    The log in Snort on the alerts table has the problem even on 2.0.3.

    The widget doesnt.



  • @Supermule:

    The log in Snort on the alerts table has the problem even on 2.0.3.

    The widget doesnt.

    Fixing the sorting will take a little extra magic to handle the leading zero or one in the months.  Sorting as a plain string won't work.  I will see if I can make it smarter.

    Bill



  • Fixing the sort turned out to be easier than I thought it would.  I fixed both the ALERTS tab display and the Snort Alerts Widget.  Let me test a wee bit more to be sure there are no unintended consequences from the fixes, then I will submit a Pull Request for a minor update to the Snort package and the Dashboard Alerts Widget.

    Bill


  • Banned

    When doing so Bill, cant you try to import the code from the traffic graph widgets since they have an interval function built in to update the Snort alert widget without refreshing the whole page…



  • @Supermule:

    When doing so Bill, cant you try to import the code from the traffic graph widgets since they have an interval function built in to update the Snort alert widget without refreshing the whole page…

    Well, it's too late for this Widget fix.  Ermal merged the update this morning.  The current widget should be updating every 22 seconds if I understand the code correctly.  I think jimp originally wrote it.  His name is in the copyright info at the top of the source code.

    There also may be a problem with the older 2.0.3 pfSense code with respect to JavaScript callbacks for the active refresh.  Not sure, though.  I will test on my 2.1 install to see if it auto-refreshes the Snort Alerts frame.

    Bill



  • @fragged:

    Snort Alerts list doesn't show entries from 1.1.2014 at the top. When clicking on the Date column to sort by date, the alerts from today show up at the top again. Bug or by design?

    This should be fixed in an update posted today (January 2, 2014).  The update was very minor and so I did not bump the package version number.  Hence no update will show in the Installed Packages tab.  Nonetheless, if you click the XML icon there to reinstall the package GUI components, you will get the updated PHP code for the Alerts tab.

    Bill


  • Banned

    It doesnt update automagically every 22 seconds Bill on 2.0.3.

    I havent got a 2.1 box yet hence all the issues :D



  • @Supermule:

    It doesnt update automagically every 22 seconds Bill on 2.0.3.

    I havent got a 2.1 box yet hence all the issues :D

    I will test this out in my VMware environment to see if it works properly on 2.1.  If not, I will have to get up with jimp to see about a fix.

    Bill


  • Banned

    Thumbs up mate!!



  • Thanks for the fix!

    Edit:

    For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.



  • I'm having a few issues with the 2.9.5.5 builds.

    First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

    ~~Second, something is causing the firewall rules to reload fairly frequently as nothing stays in the Snort blocklist for more than 30 seconds (which results in issue #1 basically killing off my connection every minute or two) even though the setting is set to 1 hour.

    Third, I just tried to disable the "Kill States" option and restart Snort and now it won't come back up.  The start button in the UI never turns green and each time I click it I get a new 'snort' process which burns an entire CPU core.  Turning Kill States back on doesn't remedy the issue.  The system logs show:

    Jan 2 12:26:03	php: /snort/snort_interfaces.php: [Snort] Snort START for Verizon FIOS(igb3)…
    Jan 2 12:26:01	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…
    Jan 2 12:26:00	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Jan 2 12:25:47	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Jan 2 12:25:47	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(Verizon FIOS)...
    ```~~
    
    EDIT: Rebooted and the 2nd & 3rd issues went away.  Still have the first problems though.


  • @fragged:

    Thanks for the fix!

    Edit:

    For a future release, could you look into what Barnyard 2 spams to the system log? I love how Ermal (?) stripped the Snort log entries to bare minimal way back when, but Barnyard 2 still spams a good 100+ entries on Snort restart.

    Yeah, I will take a look at Barnyard2.  I hate the log spamming as well.  I've been waiting for the latest beta version to make it to production and get updated in Fresh Ports.  Supposedly the new beta can do a soft restart and re-read the configuration file similar to the way Snort does it.  That would mean you could update Barnyard2 settings without actually stopping and restarting the daemon.

    Bill



  • @Jason:

    I'm having a few issues with the 2.9.5.5 builds.

    First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

    Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

    Bill



  • And if it is possible to make add a selection for the date format then that would make me very happy.
    For me the MM/DD/YY format is very illogical. I prefer DD/MM/YY (or YY/MM/DD). Then I don't think it's 2 Feb. today  ;)
    I know this may be confusing with the other logs, so maybe I should put in a request for a common pfSense selection for the date format.

    Dick



  • @bmeeks:

    @Jason:

    I'm having a few issues with the 2.9.5.5 builds.

    First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

    Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

    Bill

    No, I'm not sure about that.  I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.



  • @Jason:

    @bmeeks:

    @Jason:

    I'm having a few issues with the 2.9.5.5 builds.

    First, it seems that on the WAN interface, the "Kill States" option, when used in conjunction with "Both" for Which IP to Block, results in all WAN states being dumped any time something is blocked, even though the WAN IP is part of the default whitelist.

    Are you sure this is isolated to just the 2.9.5.5 binary build?  I'm asking because nothing was changed in the blocking part of Snort with the new binary version.  That code has been static since at least 2.9.4.1 of the Snort binary.  I'm talking about the Spoink plugin that inserts IP addresses into the snort2c table in the pf engine.

    Bill

    No, I'm not sure about that.  I wasn't using it prior to 2.9.4.6 and on that build I wasn't using many rules.

    I will look through that Spoink plugin code again to see if anything jumps out.  I think Ermal made the last major updates to that quite some time back (maybe like two years or so, if I remember correctly).

    Bill


  • Moderator

    I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?

    A suggestion for the new snort Update.

    In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.

    Would be nice to add the "!" Internal DNS button in snort also.



  • @BBcan17:

    I have an issue with Snort when i click on the"x" remove alert in Snort WAN, it will remove the block (alert window at top showing removal) but the screen refresh brings me to the LAN alert screen? I am using Chrome. I have also tested this with IE with the same outcome?

    This was an old bug that I slayed (or thought I did).  Might have "regressed some code by accident".  Let me see if I can reproduce.  If the bug is back, I will fix it in the next update that is in the works.

    @BBcan17:

    A suggestion for the new snort Update.

    In Status:System Logs:Firewall, there are two "!" One for resolving using the internal DNS servers, and the other DNSStuff.

    Would be nice to add the "!" Internal DNS button in snort also.

    I will look into doing this.  I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

    Bill


  • Moderator

    Thanks Bill.

    I agree having a smaller popup window for dnsstuff would be great.

    Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?

    Keep up the great work.


  • Moderator

    @bmeeks:

    I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

    I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?



  • @BBcan17:

    @bmeeks:

    I sort of didn't really like the way the current code takes you away from the window anyway.  Having a smaller pop-up window would be handier, and then the other link for more details.

    I notice that the "popup window" for the local DNS lookup doesn't allow any of the data to be selected and copied. Is there a way around that?

    Not sure.  I have not looked at the firewall log code where the window comes from, but it looks like a pretty simple JavaScript pop-up.

    Bill