Editing snort rules
-
I would prefer something like an option for the update process: "add and enable new rules automatically on updates" or "add new rules and disable them on updates". This way you don't have to revisit rules always when there was an update.
-
I would prefer something like an option for the update process: "add and enable new rules automatically on updates" or "add new rules and disable them on updates". This way you don't have to revisit rules always when there was an update.
I think you misunderstood the question. I was referring to existing rules, in the current installed ruleset on pfsense, that have been modified in the new ruleset the user is downloading. For example:
Let's say that a default rule installed on pfsense looks like: alert tcp any 80 any any Blah Blah Blah
Now lets say the user has modified that rule later on to look like: alert tcp $Home_Net 80 any any blah blah blahNow lets say that snort has modified that same rule in the new ruleset to: alert udp $any 80 any any blah blah blah
The way things are now, the users changes are going to be overwritten. Also, there is no way that pfsense can decide which of the two rules to keep. The one that the user modified, or the new one that is being downloaded. What I am suggesting that we do is give the user a choice, and be able to see the changes, before they are overwritten.
My thoughts are this. Not every pfsense user is going to be modifying their snort rules. In this case, downloading all rules and automatically overwriting will be ok. But, if the user has modified rules, they are going to want to be notified before their changes are overwritten. Hence why I am suggesting this solution.
-
Ok, if this conflict check is only applied against rules that the user customized I agree :)
-
Attach your changes as diffs against the latest versions of the the files that you changed here.
I guess Scott is real busy to be working on this right now, so here are the files along with the diffs in case someone else can merge them.
For those of you who wish to try this out, simply install the .php files into your /usr/local/www folder and the .xml files to the /usr/local/pkg folder. Let me know if you have any troubles.
This file is a zip file, rename it to .zip and extract.
I have not had a chance to address the issue regarding saving changes made. I will get to that though, will probably be after Christmas though.
-
Please make sure that you are on the latest snort files and then send me all the new files in their entirety and I will overwrite the files in CVS with these. I am quite busy on a major project (failover DNS) but can get these files commited.
-
Everyone, the files have been committed. If you reinstall the snort package it will install the necessary files.
-
Do I need to be running one of the more recent snapshots?
I'm getting 404 - Not Found when I browse to http://192.168.1.2/snort_rules.php
-
No, the snort package isn't downloading the files properly. Working on it right now.
-
I sent the corrected file to Scott. Soon as he gets them committed everything should be good to go.
Sorry for the confusion
-
Allright, everything should be good to go. Reinstall package and it will download the new files.
FYI, if you edit any rules, they will not take effect until snort is reloaded. Right now I don't have the pages reloading snort, but I am working on that. For now, once you've edited the rules you want to, just click save under Snort Categories or settings and that will reload the rules.
-
Yep, reinstalled and looking good
Great work sdale :)
-
Very nice job!!!!
In the SNORT rules tab under category what is the purpose of the drop down box. If I select a different rule in the drop down nothing happens. If I go to SNORT categories tab and select a rule to view, it then goes to the rules tab and it lists it in the drop down box with the rules displayed. Does this occur for anyone else?
-
When you change the drop down menu, it should refresh with the ruleset you selected. It's working for me.
-
Very nice job!!!!
In the SNORT rules tab under category what is the purpose of the drop down box. If I select a different rule in the drop down nothing happens. If I go to SNORT categories tab and select a rule to view, it then goes to the rules tab and it lists it in the drop down box with the rules displayed. Does this occur for anyone else?
Bah, let me guess, you're still using IE? ;) Looks like IE doesn't handle the refresh properly. I'll take a look into it.
-
Well it's an IE thing…..seems to work fine in firefox.