Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help needed, custom Snort rule prevent me from starting the WAN interface

    Off-Topic & Non-Support Discussion
    2
    2
    191
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sjady
      last edited by

      Good evening everyone

      Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule:

      alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

      Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh..

      Anyone who knows what has happend?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Sjady
        last edited by

        @sjady said in Help needed, custom Snort rule prevent me from starting the WAN interface:

        Good evening everyone

        Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule:

        alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

        Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh..

        Anyone who knows what has happend?

        Your rule given in your post has a syntax error. There should be a space between $HOME_NET and the SMB ports string. Secondly, you are using a SID range that is not guaranteed to be unique. There can only be one unique SID for each rule loaded. You should generally start custom rules at a very high range like 5555 or 9999, etc.

        Your rule should look like this:

        alert tcp any any -> $HOME_NET [139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

        Did you look in the pfSense system log for any error messages? I would expect one to be in there complaining about the rule syntax and/or duplicated SIDs.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post