Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Activate/Dynamic Rules

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 826 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hvtuan297
      last edited by

      Hi all,
      Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

      var net_public [192.168.184.0/24]
      activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
      dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @hvtuan297:

        Hi all,
        Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

        var net_public [192.168.184.0/24]
        activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
        dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

        Take a look at this thread on the Snort mailing list:  http://seclists.org/snort/2016/q2/263

        The word there is that those rule types are being phased out.  I am not familiar with those actions as I've never attempted to use them.  Look in the system log on pfSense to see if Snort is logging any error message during startup.  You can go to the GLOBAL SETTINGS tab and enable verbose logging.  That will spew a ton of messages to the pfSense system log when Snort starts.  You should be able to narrow down what it does not like about your rule from the log messages.

        Bill

        1 Reply Last reply Reply Quote 0
        • H
          hvtuan297
          last edited by

          Thanks a alot, Bill  ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.