Creating custom rules in pfSense Snort

  • Hello. I have been searching online but could not find an answer but I wanted to know how can you create a custom Snort rule in pfSense? (like you would in the local.rules files via the command line in other distributions). I have also checked the rules tab for my Snort interface in the pfSense web interface, but could not find where you can add custom rules.

  • Services -> Snort -> Rules -> INTERFACE - INTERFACE Rules -> custom.rules

    alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

    A rule that alerted for a specific DNS lookup, now commented out:-

    Screenshot 2019-05-12 at 18.39.36.png

  • Just like @NogBadTheBad posted. Type or paste your custom rules into the text box then click Save. Any custom rules will be combined with the rules from categories you selected on the CATEGORIES tab. Don't forget the cardinal rule of custom rules: every SID must be unique! Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.

  • Thanks! It is working now.

Log in to reply