Snort - How to block specific file types



  • Hello there:

    Running pfSense version 2.3.1-p5

    We have a very basic Snort setup.  When I go to configure custom rules, and something like:

    alert tcp any any -> any any (msg:"whatever"; file_type:MSEXEC;)

    The Gui comes back with an error:

    Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_45587_em1/rules/custom.rules(1) 'MSEXEC' is not a configured file type.Initializing rule chains…

    For any file type I enter, it yields the same error message.

    Any help would be much appreciated.

    Thank you.



  • The file inspect option is not currently enabled in the pfSense build of Snort.  This is because when it was first available there were some runtime errors I experienced on FreeBSD (at least within pfSense).  As the option was still a bit experiemental at the time, I did not pursue tracking down the problems.  That option is still disabled on pfSense.  I can look into turning it on in a future package update on pfSense.

    Bill



  • @bmeeks:

    …I can look into turning it on in a future package update on pfSense.

    Bill

    +1 That would be great.



  • Thank you.  If possible, that would be great to add in the next update.


Log in to reply