Snort - How to block specific file types
-
Hello there:
Running pfSense version 2.3.1-p5
We have a very basic Snort setup. When I go to configure custom rules, and something like:
alert tcp any any -> any any (msg:"whatever"; file_type:MSEXEC;)
The Gui comes back with an error:
Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_45587_em1/rules/custom.rules(1) 'MSEXEC' is not a configured file type.Initializing rule chains…
For any file type I enter, it yields the same error message.
Any help would be much appreciated.
Thank you.
-
The file inspect option is not currently enabled in the pfSense build of Snort. This is because when it was first available there were some runtime errors I experienced on FreeBSD (at least within pfSense). As the option was still a bit experiemental at the time, I did not pursue tracking down the problems. That option is still disabled on pfSense. I can look into turning it on in a future package update on pfSense.
Bill
-
…I can look into turning it on in a future package update on pfSense.
Bill
+1 That would be great.
-
Thank you. If possible, that would be great to add in the next update.