Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort stops and can't restart when using custom rules

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 658 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tom.barat
      last edited by

      Hello,

      I am trying to setup snort on my WAN interface. everything worked fine until i tried to use custom rules.

      I want to detect some SQL injections, i defined the rule as follows :

      alert tcp any any -> any 80 (msg: "SQLi detected"; content: "OR"; classtype: attempted-recon;)

      Obviously this is a poorly defined rule because the content filter is not fine tuned at all, but i wanted to see if it worked first.

      The issue is that after saving this custom rule, snort stops and cannot restart on the interface. Initially i did not use the classtype keyword in my custom rule and read that it could cause this issue, but the issue persists after including the classtype in my rule.

      Thank you in advance for your help.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Take a look in the system log and see what error message, if any, that Snort is posting when attempting to start up.

        1 Reply Last reply Reply Quote 0
        • T
          tom.barat
          last edited by

          Apparently a correct sid was also necessary for the rule to work. I am having trouble finding documentation on which sid are taken for pre-defined rules and which sid are free to use for custom rules though.

          In my case i got it to work with sid 203 (which i picked randomly).

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @tom.barat
            last edited by

            Yeah, I didn't notice the SID was missing from the rule. Every rule must have a unique SID and a GID. For custom user rules, the GID is always 1. The general consensus is to start custom user rule SIDs at the 2000000 mark or so. You just can never ever have a duplicate SID!

            There are several resources to be found on Google for writing your own Snort rules.

            1 Reply Last reply Reply Quote 0
            • T
              tom.barat
              last edited by

              Yes, thank you for the best practice on what SID to use for custom rules, This was the information that was missing from the resources available online ( Although i did not look thoroughly so i might have just missed it ).

              In any case this is resolved.

              Thank you.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.