Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using only Custome rules

    IDS/IPS
    2
    2
    253
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      w4rh0und
      last edited by

      Hi

      We are currently testing PFSENSE+Suricata only Wan/Lan interfaces
      Since we will have to use it for a specific purpose only, we do not need all the rules
      We just need to create our own custom one for specific ports.

      All rules re currently disabled
      I've added as a test the following rule under the Wan interface

      alert http $EXTERNAL_NET any -> any any (msg:"HTTP Connection";)
      alert icmp any any -> any any (msg: "ICMP Packet found";)

      Once saved only the first rule in the list works, the second one is being ignored.

      Is this normal behavior or is it something wrong in the rules?

      Please advise

      thank you

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @w4rh0und
        last edited by NollipfSense

        @w4rh0und I think it should also be icmp $External_net any -> ... this may help you: https://suricata.readthedocs.io/en/suricata-6.0.0/rule-management/adding-your-own-rules.html

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post