Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort package Bootstrap conversion is complete – ready for testing

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    21 Posts 7 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grandrivers
      last edited by

      i can confirm cant change interface in alerts tab

      pfsense plus 25.03 super micro A1SRM-2558F
      C2558 32gig ECC  60gig SSD

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Thanks for the quick testing and feedback.  I will get on the bug fixes.  I neglected to test the ALERTS tab on a virtual machine with more than a single configured Snort interface.  My bad…  :-[

        Config settings should have come back.  I have not see that yet in testing.  My old settings have come over.

        Bill

        1 Reply Last reply Reply Quote 0
        • G
          grandrivers
          last edited by

          when using ips policy there seems to be no way to tell what rules are selected anymore thought it was there previously

          pfsense plus 25.03 super micro A1SRM-2558F
          C2558 32gig ECC  60gig SSD

          1 Reply Last reply Reply Quote 0
          • G
            grandrivers
            last edited by

            snort interfaces tab list of interfaces has a description column it has a back ground color different from the rest of the table is that on purpose?

            sync page has a drop down menu currently viewing this is different from the rest of the package

            pfsense plus 25.03 super micro A1SRM-2558F
            C2558 32gig ECC  60gig SSD

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @grandrivers:

              snort interfaces tab list of interfaces has a description column it has a back ground color different from the rest of the table is that on purpose?

              sync page has a drop down menu currently viewing this is different from the rest of the package

              Yeah, this is on my list to completely redo.  Just haven't gotten to it yet.  This tab uses the original pkg_edit XML stuff.  I will probably migrate it to a PHP page like the rest of the Snort package.  This is currently the only XML-based tab in the package.

              The background color on the INTERFACES tab is just the Bootstrap variation of what was there originally.  In the original package the BG color was the dark red if you had the standard pfSense theme selected.  This column is just user-supplied info about the interface, so I thought "text-info" was appropriate.  It can easily be changed if necessary to meet some standard theme.

              Bill

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @grandrivers:

                when using ips policy there seems to be no way to tell what rules are selected anymore thought it was there previously

                When you use IPS Policy, all the rules tagged with the chosen policy keyword are selected.  You can see the list of chosen rules on the RULES tab when you select "IPS Policy" in the Category drop-down.  This is the same behavior as the old package.  You select IPS Policy on the CATEGORIES tab, but you go to the RULES tab to see the rules matching that policy.

                Don't confuse Categories, Rules and IPS Policy.  Categories contain collections of related rules.  For example, all the worm-related rules are in a category file.  Rules are the individual content analysis statements.  They are identified by GID and SID.  Any given category may contain dozens to hundreds of rules.  Finally, an IPS Policy is one of three words:  (1) connectivity, (2) balanced or (3) security.  This activates a mechanism that automatically scans all the rules in all the categories and selects the rules the Snort VRT has tagged with the chosen policy keyword.  These rules can come from any of the Snort VRT categories.

                Bill

                1 Reply Last reply Reply Quote 0
                • M
                  maverick_slo
                  last edited by

                  @mais_um:

                  Hi. I'll start then. New installation with old config.

                  • In interfaces settings; home net, External Net and pass net is blank is it normal? view list in this have the list os the networks correct i think. Suppression should have my list but is blank view list is blank to.
                  • In Alerts can't change interface, always jump to the first when i try select one of the other. No alerts listed but widget have some listed at least in LAN maybe i can't see it because i cant select LAN interface , download logs are empty, . Don't know if Blocked works downloading logs appears info box that is no content.
                  • In SID Mgmt in the short description appears Remove Snort Logs On Package Uninstall, this belongs to Log Mgmt.

                  Only this for now. Thanks looks good for the first try.

                  I can confirm all of that.

                  For this:

                  • In interfaces settings; home net, External Net and pass net is blank is it normal? view list in this have the list os the networks correct i think. Suppression should have my list but is blank view list is blank to.

                  I`ve made 2 screenshots that describe the problem very well :)

                  snort1.PNG
                  snort1.PNG_thumb
                  snort2.PNG
                  snort2.PNG_thumb

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    A new version of the Snort package was just merged that should address all of the issues reported thus far with the ALERTS tab, the INTERFACES EDIT drop-downs for HOME NET, EXTERNAL NET, PASS LIST and SUPPRESS LIST, and an incorrect label name for the enable checkbox on the SID MGMT tab.

                    NOTE:  The issue with the UPDATES tab not showing on-screen progress is still being worked.  That fix is going to take a little time, because some things have to be re-engineered a bit in that part of the Snort GUI.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • MikeV7896M
                      MikeV7896
                      last edited by

                      Looks good! I waited until after that first update. Installed, went through your walkthrough from the IDS/IPS forum again (making changes where needed), and it looks like it's running great!

                      My only request would be to put an info box regarding the pattern matching algorithms, or maybe add some additional text in the drop-down list (since it's so wide), or provide a link to some info on the different algorithms and their resource use or benefits (i.e. high CPU, high RAM, fastest, etc.)

                      It looks good though! Thanks for your hard work on this!

                      The S in IOT stands for Security

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @virgiliomi:

                        Looks good! I waited until after that first update. Installed, went through your walkthrough from the IDS/IPS forum again (making changes where needed), and it looks like it's running great!

                        My only request would be to put an info box regarding the pattern matching algorithms, or maybe add some additional text in the drop-down list (since it's so wide), or provide a link to some info on the different algorithms and their resource use or benefits (i.e. high CPU, high RAM, fastest, etc.)

                        It looks good though! Thanks for your hard work on this!

                        Thank you for the positive feedback …  :).  I will see about adding an info block maybe in that pattern matching section.  The short answer, though, is a lot of smart folks have tested and prodded and poked over the years and the consensus is use AC-BNFA or AC-BNFA-NQ and you are good for pretty much anything.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • A
                          athurdent
                          last edited by

                          Looks great, many thanks for the hard work!
                          The widget seems to have a problem displaying the names of OPT interfaces though. It shows OPT2 instead of the real name on my setup.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            @athurdent:

                            Looks great, many thanks for the hard work!
                            The widget seems to have a problem displaying the names of OPT interfaces though. It shows OPT2 instead of the real name on my setup.

                            I will put that on my "fix it" list.  I have a few other cosmetic fixes to incorporate as well.

                            Bill

                            1 Reply Last reply Reply Quote 0
                            • L
                              LinuxTracker
                              last edited by

                              You are awesome

                              1 Reply Last reply Reply Quote 0
                              • Raul RamosR
                                Raul Ramos
                                last edited by

                                Hi…snort-2.9.8.0 f*** yeah.

                                Some more "bugging".

                                • Can't change nothin on Log Mgmt.
                                • After upgrade snort i have to re-enable, previously enabled, interfaces or i don't wait enough time(?).

                                Some requesting, for another time.

                                • Some awesome GUI to AppID feature? no?

                                Thanks a lot.

                                pfSense:
                                ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                                Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                                NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks
                                  last edited by

                                  @mais_um:

                                  Hi…snort-2.9.8.0 f*** yeah.

                                  Some more "bugging".

                                  • Can't change nothin on Log Mgmt.
                                  • After upgrade snort i have to re-enable, previously enabled, interfaces or i don't wait enough time(?).

                                  Some requesting, for another time.

                                  • Some awesome GUI to AppID feature? no?

                                  Thanks a lot.

                                  I also found the LOG MGMT bug myself last night.  I am working on it and several other small GUI bugs.  An update will be posted later today for approval and merging by the pfSense team.

                                  There is a problem with the interfaces not auto-starting after an upgrade.  This is impacting Suricata as well.  This is also on my list to troubleshoot and fix, but I have been delaying it while working on some of the other bugs.  Lots of things needed to be "touched" as part of the Bootstrap conversion, and as a result some new bugs got introduced.

                                  A GUI interface to help with OpenAppID has been requested by several folks.  That is on my radar.  I've been holding off introducing new GUI features during the long conversion to Bootstrap.  Now that the Bootstrap conversion is about done (just a few more little bugs to fix), I can start looking at new GUI features soon.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks
                                    last edited by

                                    NOTE:  An update to the Snort binary is coming with the next GUI package update.  The binary will be updated to version 2.9.8.0.  In fact, the binary package is already posted, but it won't show up as an "update" in the pfSense Package Manager until I post the coming bug fix update for the Snort GUI package.  I'm working on that now update now and hope to post it before the end of today.

                                    Bill

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      I've posted another bug fix update for the new Bootstrap version of the Snort package.  It was merged and should now show up as package version 3.2.9.1_6 in the Package Manager GUI.  This update corrects the following bugs:

                                      Bug Fixes

                                      • Stats log filename incorrect in drop-down on LOGS VIEW tab.

                                      • Receive system log error "open() "/usr/local/www/javascript/base64.js" failed from LOGS VIEW tab.

                                      • Settings not saving on LOGS MGMT tab.

                                      • Alerts Widget does not auto-update and does not display friendly interface names.

                                      • Add VIEW RULES button to RULES tab to allow viewing of raw rules content for selected category.

                                      • Improve feedback on UPDATES tab when updating rules via a temporary workaround.

                                      • Style footer of blocked IPs table on BLOCKED tab to "bg-info".

                                      • Fix up errant newlines in post-install code and tidy up status messages.

                                      • Fix Snort auto-start failure after upgrade or reinstall.

                                      Binary Update:
                                      The Snort binary is also updated to 2.9.8.0 to match the latest upstream release.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        maverick_slo
                                        last edited by

                                        Thanks!
                                        Now to production :)

                                        1 Reply Last reply Reply Quote 0
                                        • Raul RamosR
                                          Raul Ramos
                                          last edited by

                                          Cosmetic thing "\n"  on line 206 (browser source) 151 line in snort_blocked.php file on Blocked tab

                                          
                                          \n<
                                          

                                          pfSense:
                                          ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                                          Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                                          NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.