Netgate SG-1000 microFirewall

Author Topic: Snort Package v3.2.9.6 - Release Notes  (Read 301 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Snort Package v3.2.9.6 - Release Notes
« on: January 26, 2018, 08:28:27 am »
Snort Package Update to v3.2.9.6 (binary version 2.9.11.1)

An update for the Snort package has been posted.  The binary is updated to version 2.9.11.1 and the GUI package to version 3.2.9.6.

IMPORTANT INSTALLATION NOTICE
It is strongly recommended that you install this update by removing the Snort package and then installing it again instead of using the "upgrade" icon.  This is because a couple of the files in the new update will be cached by the PHP process if you simply "upgrade" using the reinstall icon.  The older version of the cached file will be used during the post-install steps and your rules may fail to update properly.  If you remove the package completely and then install it again, there will be no cached files issue.  So long as you have the "Save Settings" checkbox ticked on the GLOBAL SETTINGS tab, your Snort configuration will be retained when removing the package.  That box is checked by default, but if you have ever unchecked it for some reason, be sure to check it before removing the package.

If you read this warning afer you've already tried the reinstall icon, then simply manually update your rules on the UPDATES tab, start Snort if it failed to start after the upgrade, and you should be fine.


This update to the Snort GUI package incorporates six bug fixes and two new features. The GUI package now supports the latest 2.9.11.1 version of Snort. References to the text "Snort VRT rules" within hints, help messages, log entries and titles within the GUI have been changed to read "Snort Subscriber Rules" to align with the naming convention preferred by Talos and Cisco.  This version of Snort runs without crashing on Netgate SG-3100 and similar ARM-based hardware.

New Features
  • Added dynamic updating of service status to INTERFACES tab for Snort and Barnyard2. When starting Snort on an interface, the task is launched as a background job and the GUI monitors the task status to update the icons on the INTERFACES tab.
  • Added support for the new "Max-Detect" IPS Policy available with Snort Subscriber Rules. This new policy is designed mainly for testing purposes as it is maximizes detection (as the name implies) but also raises the number of potential false positives. The new mode is not recommended for production systems!
Bug Fixes
  • FQDN aliases are accepted without flagging an error, but do not process and result in no parts of the alias being used at runtime when an FQDN alias is nested within a normal static IP alias. With the fix, a warning message is printed to the system log and a safe default value is used (if applicable).
  • Bogus gettext() header info displayed on PASS LISTS tab in Alias column when alias is empty.
  • HOME_NET and EXTERNAL_NET custom lists ignore the setting to exclude locally-attached networks.
  • Fix syntax error on RULES tab causing rule status icons to display twice for 'User Force Disabled" rules.
  • Barnyard2 configuration is not properly configured to allow full packet dumps.
  • Modify SNORT_BIN_VERSION constant's calculated value to account for longer version number string in latest Snort binary (such as 2.9.11.1).
Bill
« Last Edit: January 26, 2018, 08:41:11 am by bmeeks »

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort Package v3.2.9.6 - Release Notes
« Reply #1 on: January 26, 2018, 04:54:35 pm »
Should this include the fixes for the SG-3100 / ARM issue?  I am still getting bus error crashes:

Code: [Select]
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.11.1 GRE (Build 268) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.40 2017-01-11
           Using ZLIB version: 1.2.11

[2.4.2-RELEASE][admin@pfsense]/root: /usr/local/bin/snort -R 9151 -q --suppress-config-log -l /var/log/snort/snort_mvneta19151 --pid-path /var/run --nolock-pidfile -G 9151 -c /usr/local/etc/snort/snort_9151_mvneta1/snort.conf -i mvneta1


Bus error

Edit - it looks like it starts if I disable "Track and reassemble TCP sessions. Default is Checked." under the Stream5 preproc.
« Last Edit: January 26, 2018, 05:33:02 pm by atrotter01 »

Offline Ramosel

  • Full Member
  • ***
  • Posts: 218
  • Karma: +15/-0
    • View Profile
Re: Snort Package v3.2.9.6 - Release Notes
« Reply #2 on: January 26, 2018, 07:22:08 pm »
Snort Package Update to v3.2.9.6 (binary version 2.9.11.1)

IMPORTANT INSTALLATION NOTICE
It is strongly recommended that you install this update by removing the Snort package and then installing it again instead of using the "upgrade" icon.  This is because a couple of the files in the new update will be cached by the PHP process if you simply "upgrade" using the reinstall icon.  The older version of the cached file will be used during the post-install steps and your rules may fail to update properly.  If you remove the package completely and then install it again, there will be no cached files issue.  So long as you have the "Save Settings" checkbox ticked on the GLOBAL SETTINGS tab, your Snort configuration will be retained when removing the package.  That box is checked by default, but if you have ever unchecked it for some reason, be sure to check it before removing the package.


Thanks Bill,
Stupidly, I did not follow this process on the last update and had to fight things out for a couple of hours.   Went back to this process ( which I had used before ) and this update went smooth as glass in just a few minutes.   You really do take the time to warn us for a reason.  Now all we have to do is listen.

Rick

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Snort Package v3.2.9.6 - Release Notes
« Reply #3 on: January 29, 2018, 03:11:32 pm »
Snort Package Update to v3.2.9.6 (binary version 2.9.11.1)

IMPORTANT INSTALLATION NOTICE
It is strongly recommended that you install this update by removing the Snort package and then installing it again instead of using the "upgrade" icon.  This is because a couple of the files in the new update will be cached by the PHP process if you simply "upgrade" using the reinstall icon.  The older version of the cached file will be used during the post-install steps and your rules may fail to update properly.  If you remove the package completely and then install it again, there will be no cached files issue.  So long as you have the "Save Settings" checkbox ticked on the GLOBAL SETTINGS tab, your Snort configuration will be retained when removing the package.  That box is checked by default, but if you have ever unchecked it for some reason, be sure to check it before removing the package.


Thanks Bill,
Stupidly, I did not follow this process on the last update and had to fight things out for a couple of hours.   Went back to this process ( which I had used before ) and this update went smooth as glass in just a few minutes.   You really do take the time to warn us for a reason.  Now all we have to do is listen.

Rick

The latest 3.2.9.6 Snort package is working fine on my SG-3100 with the STREAM5 preprocessor enabled.  Try removing and installing Snort again to be 100% sure you have the latest binary package build.  Also re-enable the STREAM5 preprocessor before removing the package.

Bill
« Last Edit: January 29, 2018, 08:39:22 pm by bmeeks »

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort Package v3.2.9.6 - Release Notes
« Reply #4 on: January 29, 2018, 05:28:53 pm »
Thanks, I did try that, and just tried it again as well.  I removed snort, manually removed the cached package, reinstalled.  I then updated the rules, created a LAN interface, and started it.  No other settings were changed and it crashed