@erasedhammer said in Snort Custom Rule not alerting on traffic:

So filtering on dsize greater than zero with a Syn flag should match any TCP Syn packet with something in the TCP payload.

But I believe your "content:" string is going to be checked and found not present, thus no alert.

The way I understand the content keyword is that it will expect to find that particular string in the packet payload, and if the entire string is not present in the payload then it will not alert.

Your rule is looking for the string "TCP SYN Packet Containing Data Payload Detected", but that exact string is not present in your rule. Instead, your test is loading the payload with the string "datadatadatadatadata".

@bmeeks

Kk Sounds good,

Thanks my friend will check it out, and I will ask my isp about that because I am seeing a whole range of ips in the same scope as my public wan ip as well as ips that look to be going to different ip addresses not related to me at all and are on the same subnet as my public wan.

Thanks again.

This forum is for users of Snort on pfSense only. There is no support for Windows versions of Snort available here.

Found an answer, took me long enough given it was right in front of me the whole time...

On Line 60 in the YAML, you can disable Stats - that probably cuts down 80% of the garbage data in EVE.

You can further disable logging (in EVE) under metadata for DNS, TLS, TCP, HTTP, etc. -- YMMV, but I feel keeping that stuff is fine since you can filter it out using something like Kibana or Splunk readily.

@hannes-hutmacher I think will be better if you save your config to xml file and then make fresh install including xml import option.
Please see https://docs.netgate.com/pfsense/en/latest/backup/index.html