4. Activate/Dynamic Rules

Activate/Dynamic Rules

  • H

    Hi all,
    Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

    var net_public [192.168.184.0/24]
    activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
    dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

    0

  • @hvtuan297:

    Hi all,
    Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

    var net_public [192.168.184.0/24]
    activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
    dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

    Take a look at this thread on the Snort mailing list:  http://seclists.org/snort/2016/q2/263

    The word there is that those rule types are being phased out.  I am not familiar with those actions as I've never attempted to use them.  Look in the system log on pfSense to see if Snort is logging any error message during startup.  You can go to the GLOBAL SETTINGS tab and enable verbose logging.  That will spew a ton of messages to the pfSense system log when Snort starts.  You should be able to narrow down what it does not like about your rule from the log messages.

    Bill

    0
  • H

    Thanks a alot, Bill  ;)

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy