Snort - How to block specific file types
Running pfSense version 2.3.1-p5
We have a very basic Snort setup. When I go to configure custom rules, and something like:
alert tcp any any -> any any (msg:"whatever"; file_type:MSEXEC;)
The Gui comes back with an error:
Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_45587_em1/rules/custom.rules(1) 'MSEXEC' is not a configured file type.Initializing rule chains…
For any file type I enter, it yields the same error message.
Any help would be much appreciated.
The file inspect option is not currently enabled in the pfSense build of Snort. This is because when it was first available there were some runtime errors I experienced on FreeBSD (at least within pfSense). As the option was still a bit experiemental at the time, I did not pursue tracking down the problems. That option is still disabled on pfSense. I can look into turning it on in a future package update on pfSense.
…I can look into turning it on in a future package update on pfSense.
+1 That would be great.
Thank you. If possible, that would be great to add in the next update.