• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Creating custom rules in pfSense Snort

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 3 Posters 4.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tsame
    last edited by May 12, 2019, 1:13 PM

    Hello. I have been searching online but could not find an answer but I wanted to know how can you create a custom Snort rule in pfSense? (like you would in the local.rules files via the command line in other distributions). I have also checked the rules tab for my Snort interface in the pfSense web interface, but could not find where you can add custom rules.

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by NogBadTheBad May 12, 2019, 5:40 PM May 12, 2019, 5:36 PM

      Services -> Snort -> Rules -> INTERFACE - INTERFACE Rules -> custom.rules

      alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

      http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html

      A rule that alerted for a specific DNS lookup, now commented out:-

      Screenshot 2019-05-12 at 18.39.36.png

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 1
      • B
        bmeeks
        last edited by bmeeks May 12, 2019, 8:22 PM May 12, 2019, 8:20 PM

        Just like @NogBadTheBad posted. Type or paste your custom rules into the text box then click Save. Any custom rules will be combined with the rules from categories you selected on the CATEGORIES tab. Don't forget the cardinal rule of custom rules: every SID must be unique! Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.

        1 Reply Last reply Reply Quote 0
        • T
          tsame
          last edited by May 13, 2019, 11:38 AM

          Thanks! It is working now.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received