Activate/Dynamic Rules

hvtuan297

Hi all,
Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

var net_public [192.168.184.0/24]
activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

bmeeks

@hvtuan297:

Hi all,
Currently, I had code at custom.rule pfsense but I can't start snort at WAN interface  :(, anything wrong  :'(

var net_public [192.168.184.0/24]
activate icmp 192.168.184.1 any -> $net_public any (msg: "test ping: ";classtype:attempted-recon;sid:99999;activates:1)
dynamic icmp 192.168.184.1 any -> $net_public any (activated_by:1;count:13;classtype:attempted-recon)

Take a look at this thread on the Snort mailing list:  http://seclists.org/snort/2016/q2/263

The word there is that those rule types are being phased out.  I am not familiar with those actions as I've never attempted to use them.  Look in the system log on pfSense to see if Snort is logging any error message during startup.  You can go to the GLOBAL SETTINGS tab and enable verbose logging.  That will spew a ton of messages to the pfSense system log when Snort starts.  You should be able to narrow down what it does not like about your rule from the log messages.

Bill

hvtuan297

Thanks a alot, Bill  ;)