Creating custom rules in pfSense Snort

tsame · May 12, 2019, 1:13 PM

Hello. I have been searching online but could not find an answer but I wanted to know how can you create a custom Snort rule in pfSense? (like you would in the local.rules files via the command line in other distributions). I have also checked the rules tab for my Snort interface in the pfSense web interface, but could not find where you can add custom rules.

NogBadTheBad · May 12, 2019, 5:40 PM

Services -> Snort -> Rules -> INTERFACE - INTERFACE Rules -> custom.rules

alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html

A rule that alerted for a specific DNS lookup, now commented out:-

bmeeks · May 12, 2019, 8:22 PM

Just like @NogBadTheBad posted. Type or paste your custom rules into the text box then click Save. Any custom rules will be combined with the rules from categories you selected on the CATEGORIES tab. Don't forget the cardinal rule of custom rules: every SID must be unique! Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.

tsame · May 13, 2019, 11:38 AM

Thanks! It is working now.