Snort 2.9.7.5 update coming soon



  • I have posted a Pull Request to pfsense-packages to update the Snort binary to version 2.9.7.5 and to fix a couple of reported bugs in the GUI package.  There is one new feature in this update hidden in the binary side of Snort.  The Snort package on pfSense uses a custom blocking output plugin in order to emulate pseudo-IPS behavior.  Offender IP addresses are automatically inserted into the <snort2c>table in the packet filter whenever blocking is enabled in the Snort package.  The insertion of addresses into the table is handled by a custom output plugin compiled into the Snort binary.

    Over the years this plugin has suffered from not always recognizing when firewall interface IP addresses changed.  Specifically this has been an issue for users whose WAN IP frequently updates to a new value.  Because the old package only read the PASS LIST file once at startup, interface IP address changes were not recognized until the next restart of Snort.  This could result in advertent blocking of an interface IP on the firewall such as the WAN IP.  I've added a new feature within the blocking module that watches the firewall interface IP addresses and immediately updates an internal pass list with any changes.  I am hoping this new feature stops the inadvertent blocking of the WAN IP address for those users who have been impacted by this problem.

    Here is a link to the open Pull Request:  https://github.com/pfsense/pfsense-packages/pull/1002

    If this change proves both helpful and benign (that is, produces no adverse impact), the next new feature will be one several folks have begged for:  the ability to add FQDN aliases to a PASS LIST.  The same technique I used for the new interface IP monitoring thread can be extended to accommodate FQDN aliases in a PASS LIST.  I will be working on that for the next update.

    Bill</snort2c>



  • You are precious. Thanks.

    Cheers.

    -F



  • @fsansfil:

    You are precious. Thanks.

    Cheers.

    -F

    I am also going to incorporate your suggestion for allowing custom rule download URLs, but I decided to put it off until the next update because of the binary change I made.  I figured if issues were to develop, it would be easier to troubleshoot with fewer changes in the code.

    Bill



  • @bmeeks:

    I have posted a Pull Request to pfsense-packages to update the Snort binary to version 2.9.7.5 and to fix a couple of reported bugs in the GUI package.  There is one new feature in this update hidden in the binary side of Snort.  The Snort package on pfSense uses a custom blocking output plugin in order to emulate pseudo-IPS behavior.  Offender IP addresses are automatically inserted into the <snort2c>table in the packet filter whenever blocking is enabled in the Snort package.  The insertion of addresses into the table is handled by a custom output plugin compiled into the Snort binary.

    Over the years this plugin has suffered from not always recognizing when firewall interface IP addresses changed.  Specifically this has been an issue for users whose WAN IP frequently updates to a new value.  Because the old package only read the PASS LIST file once at startup, interface IP address changes were not recognized until the next restart of Snort.  This could result in advertent blocking of an interface IP on the firewall such as the WAN IP.  I've added a new feature within the blocking module that watches the firewall interface IP addresses and immediately updates an internal pass list with any changes.  I am hoping this new feature stops the inadvertent blocking of the WAN IP address for those users who have been impacted by this problem.

    Here is a link to the open Pull Request:  https://github.com/pfsense/pfsense-packages/pull/1002

    If this change proves both helpful and benign (that is, produces no adverse impact), the next new feature will be one several folks have begged for:  the ability to add FQDN aliases to a PASS LIST.  The same technique I used for the new interface IP monitoring thread can be extended to accommodate FQDN aliases in a PASS LIST.  I will be working on that for the next update.

    Bill</snort2c>

    How long would it take before the package is updated on pfsense?



  • @musicwizard:

    How long would it take before the package is updated on pfsense?

    Depends on when the pfSense developer team can review, approve and merge the Pull Request.  Usually it takes just a few days.

    Bill



  • This update has been approved and merged to production.

    Bill



  • I update it on 2.1.5 and works great