Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assistance Needed with Customizing Snort Rules Update Process on pfSense

    IDS/IPS
    3
    3
    163
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Sh4dow998S
      Sh4dow998
      last edited by

      Hello everyone,

      I am currently managing a pfSense setup that includes the Snort package for intrusion detection. I have a specific requirement to streamline the rules update process by centralizing it through an internal server, rather than updating each firewall individually with its own API keys.

      To achieve this, I need to customize the source from which pfSense fetches its Snort rules updates. My goal is to set up a central server that periodically downloads the latest rule sets using a single API key, and then distribute these rules to multiple pfSense devices on our network.

      However, I've encountered difficulties in modifying or setting up pfSense to fetch updates from a local or intranet source instead of the default external URLs provided by Snort. I could not find options within the Snort package interface to change the update URL or configure it to point to our internal server.

      Could you please guide me on how to achieve the following:

      • Modify the default rules update URL for Snort in pfSense to use a local network resource.
      • Set up an internal distribution server that pfSense can access for fetching Snort rules.
      • Ensure that the update process is secure and only allows updates from authenticated and authorized sources.

      I would appreciate any documentation, advice, or steps you could provide on how to customize the rules update settings in pfSense for this purpose. If there are scripts or configuration files that need to be edited directly, could you please provide details on where these files are located and how they can be safely modified?

      Thank you

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The Snort package does not currently support customizing the rules download URLs from within the GUI.

        You can modify the PHP source code of the Snort GUI package on your own to accomplish what you desire, but you will need to be proficient in PHP programming.

        The files you need to modify are:

        /usr/local/pkg/snort/snort_defs.inc and /usr/local/pkg/snort/snort_check_for_rule_updates.php and
        /usr/local/www/snort/snort_download_updates.php.

        You are on your own to make the necessary modifications. Also remember that if you later update or otherwise reinstall the Snort package, your changes to the source code files will be overwritten.

        1 Reply Last reply Reply Quote 1
        • JonathanLeeJ
          JonathanLee
          last edited by JonathanLee

          I just purchase the Snort subscription rules, it’s not that much for private use. You get tons of good stuff with it. Is it ethical to use this rule set for other devices … no so I wouldn’t do it, just purchase a business subscription if you are attempting to do that.

          Again there are rule sets for other security providers that I would love to add URLs for.

          https://rules.emergingthreats.net/blockrules/3coresec.rules

          https://forum.netgate.com/topic/177538/is-it-possible-to-use-a-cron-job-to-update-custom-snort-rules

          So I get the appeal for wanting custom URLs but understand why it’s not included, if it was anyone could reuse subscriptions rules on other devices.

          I wonder if there is a way to get the best of both custom url and rules and give Snort security for their subscription rules too for no free riders.

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • First post
            Last post