Help needed, custom Snort rule prevent me from starting the WAN interface

Sjady

Good evening everyone

Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule:

alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh..

Anyone who knows what has happend?

bmeeks

@sjady said in Help needed, custom Snort rule prevent me from starting the WAN interface:

Good evening everyone

Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule:

alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh..

Anyone who knows what has happend?

Your rule given in your post has a syntax error. There should be a space between $HOME_NET and the SMB ports string. Secondly, you are using a SID range that is not guaranteed to be unique. There can only be one unique SID for each rule loaded. You should generally start custom rules at a very high range like 5555 or 9999, etc.

Your rule should look like this:

alert tcp any any -> $HOME_NET [139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Did you look in the pfSense system log for any error messages? I would expect one to be in there complaining about the rule syntax and/or duplicated SIDs.