Snort 2.9.5.5 pkg v3.0.1 Update – Minor bug fixes
-
@BBcan17:
Thanks Bill.
Another suggestion would be to have a link to disable the rule from the alert screen. Currently you can only suppress or clear the block?
Keep up the great work.
I like this idea. Currently, the way disable sid works in the package, this can only work for non-preprocessor rules, though. Still it would be a neat option.
UPDATE – see my post further down below. I decided to go ahead and implement this in the upcoming 2.9.5.6 v3.0.3 package so that it works for all rules: both regular and the decoder and preprocessor ones.
Bill -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;D -
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
-
That's Great news. Can't wait to test it out.
-
I tested this version with the latest 2.1.1 i386 pfSnort-PRERELEASE.
Snort works/installs perfectly and the blocks are back.
;DGreat news indeed (on the blocks staying in place)! I have a Snort update pretty much ready to go. It will bump the binary to 2.9.5.6. I am also adding two new GUI features and enhancing another one a bit. The enhancement is the DNS reverse-lookup functionality in Snort now fully mimics that in the firewall logs. One of the two new features is complete management of all the rules now, including decoder and preprocessor rules. You can selectively enable/disable these just like the other text rules. The other new feature is on the ALERTS tab where you will now have the option to not only add an alert to the Suppress List, but to also disable the rule that generated it.
Bill
Great will test it as soon as possible.
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place. -
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
-
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.
That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
-
@BBcan17:
I see a new snort package in the repo but its listed as
Snort 2.9.5.5 pkg v3.0.3
I thought it was suppose to be 2.9.5.6?
The bumped version contains fix:
https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087
That fixes a security flaw:
http://seclists.org/fulldisclosure/2014/Jan/187
Yep, I will just bump the 2.9.5.6 package to 3.0.4 when it is published.
Bill
-
I have looked at the following: http://seclists.org/fulldisclosure/2014/Jan/187
Are there any issues to skip this update and wait for the 3.0.3 release?
-
@BBcan17:
I have looked at the following: http://seclists.org/fulldisclosure/2014/Jan/187
Are there any issues to skip this update and wait for the 3.0.3 release?
No, the 3.0.3 just pushed is exactly the same as the current 3.0.2 except for one changed file. I did find one other similar vulnerability in a different file that I will fix in 3.0.4.
Bill
-
Quick note on 3.0.3:
In the Snort services page it still displays 3.0.2 in the header
-
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.
That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.
Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them. -
Quick note on 3.0.3:
In the Snort services page it still displays 3.0.2 in the header
The Core Team member that posted the security hotfix update did not change a location in the snort.inc file where the package version variable is set for display. This will all get cleared up in the v3.0.4 package currently under review. If you want to fix it now, just manually edit the file**/usr/local/pkg/snort/snort.inc**. Near the top of the file you will see the version being set into a variable. Just change that value to 3.0.3 and you're set.
Bill
-
Thanks Bill, I noticed that issue with the version number also.
Did you get a chance to see this link
https://forum.pfsense.org/index.php/topic,63418.0.html
I think that would be a fantastic addition to Snort? But I wouldnt want to see email alerts for certain sids.
-
Only thing that is "strange", is that the dashboard widget needs to be replaced after an update of pfSense, the pfBlocker (also "3th party") widget and others (OpenVPN/Capive Portal/Firewall) are still in their old place.
That is by design (currently) as the widget checks if Snort is installed. If not, it will remove itself from the dashboard. On a pfSense upgrade, all packages are removed and then installed again and there's a time when the widget is installed, but Snort is not.
Ok, thats why pfBlocker widget still is there. The widget is combined with the package.
Shouldn't the Snort Dashboard widget also be merged with the Snort Package. I think most of us use both of them.Probably not a bad idea to merge them. I will investigate that for a future release of Snort. The Snort Dashboard widget hides itself now because back some time ago it was crashing the GUI when the package was removed, because it did not clean up behind itself in the dashboard widget configuration. I think I am remembering that correctly. The quick fix was to "hide" the widget any time it was un-installed or re-installed. I will look and see if there is a better way to persist the widget's state (visible or hidden) across uninstall/reinstall cycles without breaking the Dashboard GUI.
Bill
-
@BBcan17:
Thanks Bill, I noticed that issue with the version number also.
Did you get a chance to see this link
https://forum.pfsense.org/index.php/topic,63418.0.html
I think that would be a fantastic addition to Snort? But I wouldn't want to see email alerts for certain sids.
Yeah, I read through that. This is something that really can only be done by a cron job of some sort that periodically scans the alert log. See, all the Snort GUI code stuff dies and is not running the instant you leave the web page and go to a non-Snort page. All of the inspection and blocking is performed by the same old Snort binary daemon that folks install on any non-pfSense machine. So what I mean here is the GUI code that folks think of as "Snort" is nothing but a configuration front-end. To have Snort automatically send e-mail alerts in near real-time would require modifying the source code of the binary daemon itself. That would add overhead and steal CPU cycles that would probably be better served analyzing traffic.
It's better in my view to have a third-party tool called by a cron job (similar to the one in the linked thread) that does the log scanning and e-mailing. That way the Snort daemon can stay busy doing what it is designed to do- scan incoming and outgoing traffic. I would suggest someone modifying the code mentioned in the linked thread so that it can scan a number of different logs and send notifications as appropriate. It could scan Snort logs, system logs, squid logs, etc., and filter them for severities and make notifications.
I have my hands full at the moment with Snort updates and trying to get a working Suricata inline IPS package for pfSense. Perhaps another user would like to take up the challenge? :)
Bill
-
Any news on the next package version? The pull request is already 20 days old? Are there still some issues with getting the binaries to build for all pfSense versions?
-
Any news on the next package version? The pull request is already 20 days old? Are there still some issues with getting the binaries to build for all pfSense versions?
The old 2.0.x binary packages are now building fine. I sent an e-mail yesterday to the Core Team asking for a status on the Pull Request review. I have not heard anything back yet. I need to get that current open pull request merged so I can submit the Suricata Beta package pull request. Unfortunately you can only have one outstanding pull request at the time on GitHub from a forked repository. So until the Snort request is closed or merged, I can't submit the Suricata one.
Bill
-
I sent an e-mail yesterday to the Core Team asking for a status on the Pull Request review. I have not heard anything back yet. I need to get that current open pull request merged so I can submit the Suricata Beta package pull request. Unfortunately you can only have one outstanding pull request at the time on GitHub from a forked repository.
Bill
Hi Bill, The new snort package is in the Repo now. Available: 2.9.5.5 pkg v3.0.4
After this installation the Snort Version still shows up as v3.0.2 (Similar issue as before as per one of your previous post.)
I have installed the new package on one of my routers without any issues so far.
Is there a changelog?
Thanks for all your efforts in keeping this package working so well.. :) :) :)
