Snort - How to block specific file types

corpengineer · Jul 6, 2016, 10:40 PM

Hello there:

Running pfSense version 2.3.1-p5

We have a very basic Snort setup. When I go to configure custom rules, and something like:

alert tcp any any -> any any (msg:"whatever"; file_type:MSEXEC;)

The Gui comes back with an error:

Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_45587_em1/rules/custom.rules(1) 'MSEXEC' is not a configured file type.Initializing rule chains…

For any file type I enter, it yields the same error message.

Any help would be much appreciated.

Thank you.

bmeeks · Jul 6, 2016, 11:39 PM

The file inspect option is not currently enabled in the pfSense build of Snort. This is because when it was first available there were some runtime errors I experienced on FreeBSD (at least within pfSense). As the option was still a bit experiemental at the time, I did not pursue tracking down the problems. That option is still disabled on pfSense. I can look into turning it on in a future package update on pfSense.

Bill

AR15USR · Jul 6, 2016, 11:47 PM

@bmeeks:

…I can look into turning it on in a future package update on pfSense.

Bill

+1 That would be great.

corpengineer · Jul 7, 2016, 7:30 PM

Thank you. If possible, that would be great to add in the next update.