Snort 2.9.7.5

simby

Are we ready to upgrade to Snort 2.9.7.5?  8)

2015-07-01 Carter Waxman cwaxman@cisco.comSnort 2.9.7.5
    * src/build.h:
      updating build number to 262

* src/preprocessors/Stream6/snort_stream_tcp.c:
      Improved handling of asymmetric traffic

* src/active.c:
      Active responses no longer set the FIN flag on the last segment
      transmitted

* src/dynamic-preprocessors/appid/luaDetectorApi.c:
      Added sanity checks to client api

* doc/snort_manual.pdf,
      src/: dynamic-preprocessors/dcerpc2/dce2_paf.c,
      dynamic-preprocessors/dnp3/dnp3_paf.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/imap/imap_paf.c,
      dynamic-preprocessors/pop/pop_paf.c,
      dynamic-preprocessors/sip/sip_paf.c,
      dynamic-preprocessors/smtp/smtp_paf.c,
      preprocessors/session_api.h, preprocessors/spp_stream6.c,
      preprocessors/stream_api.h,
      preprocessors/HttpInspect/utils/hi_paf.c,
      preprocessors/Session/session_common.h,
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/Stream6/snort_stream_tcp.h,
      preprocessors/Stream6/stream_paf.c,
      preprocessors/Stream6/stream_paf.h:
      Multiple PAF clients can Read/Write to the same user data

* src/: file-process/file_api.h, file-process/file_mail_common.h,
      file-process/file_mime_process.c,
      sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h:
      Fixed filename parsing from Mime body for UUencoded MIME

* src/preprocessors/perf-base.c,
      src/preprocessors/Stream6/snort_stream_tcp.c:
      Prunes triggered by timeouts are now accounted by perfmonitor.

* src/preprocessors/spp_session.c:
      Log warning instead of Fatal Error
      if a stream5_global config is in a non-default policy

* src/detection-plugins/sp_base64_decode.c:
      Removed unused checks

* src/snort.c:
      Improved reliability of configuration reloads

* src/preprocessors/snort_httpinspect.c:
      Fixed issue in http
      file processing where SHAs may not always be correct.

* doc/snort_manual.pdf,
      src/sfutil/sf_email_attach_decode.c:
      Fixed handling new line chars in QP encoding

* src/preprocessors/snort_httpinspect.c:
      Fixed inconsistent behavior when configuring "max_gzip_mem -1"/cwaxman@cisco.com

bmeeks

Working on it now.  Should be posting a Pull Request to pfsense-tools in a few days.  I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

simby

@bmeeks:

Working on it now.  Should be posting a Pull Request to pfsense-tools in a few days.  I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

thanks,…

can you add a counter for all enabled rules in Snort om first page? :)

bmeeks

@simby:

thanks,…

can you add a counter for all enabled rules in Snort om first page? :)

Do you mean on the package home page (the one showing the list of configured Snort interfaces), or are you talking about somewhere on one of the interface-specific tabs?

Bill

simby

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

bmeeks

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK.  Will see what I can do.  Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

pfcode

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK.  Will see what I can do.  Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

What/Where is the new full screen theme?

simby

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK.  Will see what I can do.  Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

Under interface , maybe: LAN 37125 rules  enabled of all 43777

bmeeks

@pfcode:

What/Where is the new full screen theme?

It's under System > General Setup.  Select the pfsense_ng_fs theme.

Bill

simby

@bmeeks:

Working on it now.  Should be posting a Pull Request to pfsense-tools in a few days.  I'm experimenting with adding a long-requested feature to the blocking plugin… ;)

Bill

Any news? :-)

bmeeks

@simby:

Any news? :-)

Still working.  A family illness issue has delayed my progress for a bit.  The changes in 2.9.7.5 from upstream are pretty minor, so I don't think there is a huge impact in delaying introducing them in the pfSense port.  The new feature I'm adding will be a big help, though, so I think it's worth holding up the 2.9.7.5 update while I finish integrating the new feature.  The new feature uses multithreading to continuously watch the firewall interfaces for IP address changes and then immediately updates an internal PASS LIST to prevent errant blocking of say the WAN IP for folks with dynamic WAN IP addresses.  I have a proof-of-concept working for this feature and just need to finish up the production code.

The next logical step, assuming the new feature works as intended in widespread production, is to expand the multithreading idea and support FQDN aliases in the PASS LIST.  That is my goal, but that part is not started yet.

Bill

simby

@bmeeks:

@simby:

LAN interface 34769 rules enabled
WAN interface 41651 rules enabled

On first Snort interface status :-)

OK.  Will see what I can do.  Space is a bit limited on that screen unless you are using the new full screen theme.

Bill

Bmeeks, will be this in this release?

bmeeks

@simby:

Bmeeks, will be this in this release?

It's not in the currently open Pull Request.

Bill