pfSense Gold Subscription

Author Topic: Snort 3.2.9.5_4 - Release Notes  (Read 309 times)

0 Members and 1 Guest are viewing this topic.

Online bmeeks

  • Hero Member
  • *****
  • Posts: 3173
  • Karma: +821/-0
    • View Profile
Snort 3.2.9.5_4 - Release Notes
« on: December 05, 2017, 08:28:27 am »
Snort 3.2.9.5_4

This update to the Snort package changes the URL for downloading the OpenAppID open rules package.  This rules package is maintained by a volunteer contributor and was formerly hosted at a University web site in Brazil.  That web site employs geo-protection, and thus Snort users in some countries were unable to download the OpenAppID rules.  The pfSense team has worked out an agreement with the rules package creator to host the package on pfSense infrastructure.  This will eliminate the geo-blocking issue.  No action is required on your part.  The URL change is automatic.

Note to SG-3100 and other ARM hardware users:
This package update does not address the problems within the Snort binary on ARM CPUs.  We are still trying to fix that issue.

Bill

Offline Ramosel

  • Full Member
  • ***
  • Posts: 216
  • Karma: +15/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #1 on: December 06, 2017, 04:57:50 pm »
Snort 3.2.9.5_4

This update to the Snort package changes the URL for downloading the OpenAppID open rules package. 

Thanks Bill,
This issue has presented a few glitches with some Unbound/pfBlockerNG/TLD listings that BBCan177 and I have had to work through on a few occasions.   

Rick

Offline bcruze

  • Jr. Member
  • **
  • Posts: 34
  • Karma: +1/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #2 on: December 07, 2017, 07:12:41 am »
is this the same as the facebook post pfsense posted yesterday?   it advertised facebook blocking and other popular apps.   i reinstalled snort on my sg2220 last night and i don't see how to block facebook or anything posted in that online post .


Online bmeeks

  • Hero Member
  • *****
  • Posts: 3173
  • Karma: +821/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #3 on: December 07, 2017, 08:39:03 am »
is this the same as the facebook post pfsense posted yesterday?   it advertised facebook blocking and other popular apps.   i reinstalled snort on my sg2220 last night and i don't see how to block facebook or anything posted in that online post .

Did you follow the link in that blog post to the "How To" document?  There are several steps involved in configuring OpenAppID in Snort.  It's more than just clicking the two checkboxes on the GLOBAL SETTINGS tab.  There are specific rules that have to be enabled as well on the RULES tab.  The various OpenAppID signatures are divided into various categories on that tab once you enable the rules and download them.

Bill

Offline revengineer

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +4/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #4 on: December 09, 2017, 03:18:46 pm »
I wanted to test the OpenAppID feature, but I cannot get the rules to download. The log entries are shown below. I have no problems downloading the rule files directly using the URL http://files.pfsense.org/openappid/appid_rules.tar.gz. Does anyone know what I am missing?

Code: [Select]
Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
Checking Snort OpenAppID RULES detectors md5 file...
There is a new set of Snort OpenAppID RULES detectors posted.
Downloading file 'appid_rules.tar.gz'...
Done downloading rules file.
Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.

Online bmeeks

  • Hero Member
  • *****
  • Posts: 3173
  • Karma: +821/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #5 on: December 12, 2017, 03:17:26 pm »
I wanted to test the OpenAppID feature, but I cannot get the rules to download. The log entries are shown below. I have no problems downloading the rule files directly using the URL http://files.pfsense.org/openappid/appid_rules.tar.gz. Does anyone know what I am missing?

Code: [Select]
Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
Checking Snort OpenAppID RULES detectors md5 file...
There is a new set of Snort OpenAppID RULES detectors posted.
Downloading file 'appid_rules.tar.gz'...
Done downloading rules file.
Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.

The problem is given in the error message.  The MD5 checksum check failed.  That means either your download got corrupted, or the MD5 file on the pfSense site is not correct for the current gzip rules archive.  Usually these kinds of errors auto-correct if you just wait a few hours or a day for things to get sorted out on the hosting site.

Bill

Offline revengineer

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +4/-0
    • View Profile
Re: Snort 3.2.9.5_4 - Release Notes
« Reply #6 on: December 12, 2017, 08:06:21 pm »

The problem is given in the error message.  The MD5 checksum check failed.  That means either your download got corrupted, or the MD5 file on the pfSense site is not correct for the current gzip rules archive.  Usually these kinds of errors auto-correct if you just wait a few hours or a day for things to get sorted out on the hosting site.

Bill
Thank you for the response. I just checked and the problem indeed fixed itself. The rules have loaded and I can start experimenting with application blocking.