Snort package Bootstrap conversion is complete – ready for testing

bmeeks

I have finished the initial conversion of Snort to Bootstrap.  A pull request has been posted for review and merge merged by the developer team.  Here is a link to the original:  https://github.com/pfsense/FreeBSD-ports/pull/63 and here is a link to the next bug fix update:  https://github.com/pfsense/FreeBSD-ports/pull/64.

I've done some limited testing as I went through the conversion, but I am really depending on the testers here to help flush out any bugs or GUI issues.

Save your firewall config via a backup before installing/updating Snort Bootstrap just to be on the safe side.  There are a few rough spots still in the GUI.  One big one is the lack of visual feedback when updating rules on the UPDATES tab.  Some changes in Bootstrap have temporarily rendered the old progress bar that used to be shown non-functional.  S. Beaver is looking for a new solution, so when you update your rules just be aware the browser will sit and spin until the process completes, then you will see a screen full of status messages.  Not ideal, but it works for now.  I am hoping Steve comes up with something prettier… ;)

It is also likely that upon an update of the package it will not auto-start. It should start fine manually from the Snort Interfaces tab.  It will start up normally when the firewall is rebooted or updated.  I'm still looking for why the package does not auto-start after a package update.

Bill

Edit:  changed title once pull request was merged, fixed a typo and provided link to latest bug fix pull request.

Raul Ramos

Hi. I'll start then. New installation with old config.

• In interfaces settings; home net, External Net and pass net is blank is it normal? view list in this have the list os the networks correct i think. Suppression should have my list but is blank view list is blank to.
• In Alerts can't change interface, always jump to the first when i try select one of the other. No alerts listed but widget have some listed at least in LAN maybe i can't see it because i cant select LAN interface , download logs are empty, . Don't know if Blocked works downloading logs appears info box that is no content.
• In SID Mgmt in the short description appears Remove Snort Logs On Package Uninstall, this belongs to Log Mgmt.

Only this for now. Thanks looks good for the first try.

grandrivers

i can confirm cant change interface in alerts tab

bmeeks

Thanks for the quick testing and feedback.  I will get on the bug fixes.  I neglected to test the ALERTS tab on a virtual machine with more than a single configured Snort interface.  My bad…  :-[

Config settings should have come back.  I have not see that yet in testing.  My old settings have come over.

Bill

grandrivers

when using ips policy there seems to be no way to tell what rules are selected anymore thought it was there previously

grandrivers

snort interfaces tab list of interfaces has a description column it has a back ground color different from the rest of the table is that on purpose?

sync page has a drop down menu currently viewing this is different from the rest of the package

bmeeks

@grandrivers:

snort interfaces tab list of interfaces has a description column it has a back ground color different from the rest of the table is that on purpose?

sync page has a drop down menu currently viewing this is different from the rest of the package

Yeah, this is on my list to completely redo.  Just haven't gotten to it yet.  This tab uses the original pkg_edit XML stuff.  I will probably migrate it to a PHP page like the rest of the Snort package.  This is currently the only XML-based tab in the package.

The background color on the INTERFACES tab is just the Bootstrap variation of what was there originally.  In the original package the BG color was the dark red if you had the standard pfSense theme selected.  This column is just user-supplied info about the interface, so I thought "text-info" was appropriate.  It can easily be changed if necessary to meet some standard theme.

Bill

bmeeks

@grandrivers:

when using ips policy there seems to be no way to tell what rules are selected anymore thought it was there previously

When you use IPS Policy, all the rules tagged with the chosen policy keyword are selected.  You can see the list of chosen rules on the RULES tab when you select "IPS Policy" in the Category drop-down.  This is the same behavior as the old package.  You select IPS Policy on the CATEGORIES tab, but you go to the RULES tab to see the rules matching that policy.

Don't confuse Categories, Rules and IPS Policy.  Categories contain collections of related rules.  For example, all the worm-related rules are in a category file.  Rules are the individual content analysis statements.  They are identified by GID and SID.  Any given category may contain dozens to hundreds of rules.  Finally, an IPS Policy is one of three words:  (1) connectivity, (2) balanced or (3) security.  This activates a mechanism that automatically scans all the rules in all the categories and selects the rules the Snort VRT has tagged with the chosen policy keyword.  These rules can come from any of the Snort VRT categories.

Bill

maverick_slo

@mais_um:

Hi. I'll start then. New installation with old config.

• In interfaces settings; home net, External Net and pass net is blank is it normal? view list in this have the list os the networks correct i think. Suppression should have my list but is blank view list is blank to.
• In Alerts can't change interface, always jump to the first when i try select one of the other. No alerts listed but widget have some listed at least in LAN maybe i can't see it because i cant select LAN interface , download logs are empty, . Don't know if Blocked works downloading logs appears info box that is no content.
• In SID Mgmt in the short description appears Remove Snort Logs On Package Uninstall, this belongs to Log Mgmt.

Only this for now. Thanks looks good for the first try.

I can confirm all of that.

For this:

• In interfaces settings; home net, External Net and pass net is blank is it normal? view list in this have the list os the networks correct i think. Suppression should have my list but is blank view list is blank to.

I`ve made 2 screenshots that describe the problem very well :)

bmeeks

A new version of the Snort package was just merged that should address all of the issues reported thus far with the ALERTS tab, the INTERFACES EDIT drop-downs for HOME NET, EXTERNAL NET, PASS LIST and SUPPRESS LIST, and an incorrect label name for the enable checkbox on the SID MGMT tab.

NOTE:  The issue with the UPDATES tab not showing on-screen progress is still being worked.  That fix is going to take a little time, because some things have to be re-engineered a bit in that part of the Snort GUI.

Bill

virgiliomi

Looks good! I waited until after that first update. Installed, went through your walkthrough from the IDS/IPS forum again (making changes where needed), and it looks like it's running great!

My only request would be to put an info box regarding the pattern matching algorithms, or maybe add some additional text in the drop-down list (since it's so wide), or provide a link to some info on the different algorithms and their resource use or benefits (i.e. high CPU, high RAM, fastest, etc.)

It looks good though! Thanks for your hard work on this!

bmeeks

@virgiliomi:

Looks good! I waited until after that first update. Installed, went through your walkthrough from the IDS/IPS forum again (making changes where needed), and it looks like it's running great!

My only request would be to put an info box regarding the pattern matching algorithms, or maybe add some additional text in the drop-down list (since it's so wide), or provide a link to some info on the different algorithms and their resource use or benefits (i.e. high CPU, high RAM, fastest, etc.)

It looks good though! Thanks for your hard work on this!

Thank you for the positive feedback …  :).  I will see about adding an info block maybe in that pattern matching section.  The short answer, though, is a lot of smart folks have tested and prodded and poked over the years and the consensus is use AC-BNFA or AC-BNFA-NQ and you are good for pretty much anything.

Bill

athurdent

Looks great, many thanks for the hard work!
The widget seems to have a problem displaying the names of OPT interfaces though. It shows OPT2 instead of the real name on my setup.

bmeeks

@athurdent:

Looks great, many thanks for the hard work!
The widget seems to have a problem displaying the names of OPT interfaces though. It shows OPT2 instead of the real name on my setup.

I will put that on my "fix it" list.  I have a few other cosmetic fixes to incorporate as well.

Bill

LinuxTracker

You are awesome

Raul Ramos

Hi…snort-2.9.8.0 f*** yeah.

Some more "bugging".

• Can't change nothin on Log Mgmt.
• After upgrade snort i have to re-enable, previously enabled, interfaces or i don't wait enough time(?).

Some requesting, for another time.

• Some awesome GUI to AppID feature? no?

Thanks a lot.

bmeeks

@mais_um:

Hi…snort-2.9.8.0 f*** yeah.

Some more "bugging".

• Can't change nothin on Log Mgmt.
• After upgrade snort i have to re-enable, previously enabled, interfaces or i don't wait enough time(?).

Some requesting, for another time.

• Some awesome GUI to AppID feature? no?

Thanks a lot.

I also found the LOG MGMT bug myself last night.  I am working on it and several other small GUI bugs.  An update will be posted later today for approval and merging by the pfSense team.

There is a problem with the interfaces not auto-starting after an upgrade.  This is impacting Suricata as well.  This is also on my list to troubleshoot and fix, but I have been delaying it while working on some of the other bugs.  Lots of things needed to be "touched" as part of the Bootstrap conversion, and as a result some new bugs got introduced.

A GUI interface to help with OpenAppID has been requested by several folks.  That is on my radar.  I've been holding off introducing new GUI features during the long conversion to Bootstrap.  Now that the Bootstrap conversion is about done (just a few more little bugs to fix), I can start looking at new GUI features soon.

Bill

bmeeks

NOTE:  An update to the Snort binary is coming with the next GUI package update.  The binary will be updated to version 2.9.8.0.  In fact, the binary package is already posted, but it won't show up as an "update" in the pfSense Package Manager until I post the coming bug fix update for the Snort GUI package.  I'm working on that now update now and hope to post it before the end of today.

Bill

bmeeks

I've posted another bug fix update for the new Bootstrap version of the Snort package.  It was merged and should now show up as package version 3.2.9.1_6 in the Package Manager GUI.  This update corrects the following bugs:

Bug Fixes

• Stats log filename incorrect in drop-down on LOGS VIEW tab.

• Receive system log error "open() "/usr/local/www/javascript/base64.js" failed from LOGS VIEW tab.

• Settings not saving on LOGS MGMT tab.

• Alerts Widget does not auto-update and does not display friendly interface names.

• Add VIEW RULES button to RULES tab to allow viewing of raw rules content for selected category.

• Improve feedback on UPDATES tab when updating rules via a temporary workaround.

• Style footer of blocked IPs table on BLOCKED tab to "bg-info".

• Fix up errant newlines in post-install code and tidy up status messages.

• Fix Snort auto-start failure after upgrade or reinstall.

Binary Update:
The Snort binary is also updated to 2.9.8.0 to match the latest upstream release.

Bill

maverick_slo

Thanks!
Now to production :)

Raul Ramos

Cosmetic thing "\n"  on line 206 (browser source) 151 line in snort_blocked.php file on Blocked tab

\n<