custom rule does not seem to work

Translating-IT

Hi,

I'm quite new to Snort and got stuck with writing custom rules. I use Snort on my pfSense firewall combined with pfBockerNG. I want to block every attempt to reach .php pages on my server and have this rule but it does not seem to catch any user looking for php pages on my site. All requests go through and are found in the log files of the server but none in the log files of pfsense.

reject tcp $EXTERNAL_NET any -> any [80,8080,443] (content:"php"; http_uri; nocase; fast_pattern:only; sid:1000001; msg:"Schwachstellen php";)

I added the rule under Snort Interfaces > Interface > Interface Rules (Category custom.rules) AND saved the list.

Did I miss something?

Another strange thing is that everytime I save that list my interface gets stopped and I need to restart it manually, is that standard behaviour?

Best regards,
Pascal

bmeeks

If Snort is stopping when attempting to add the custom rule, then most likely it is not liking something in the syntax of your rule. Check the pfSense system log for details. I suspect you will find Snort complaining about a rule there.

Sounds like your custom rule is not actually loading.

Translating-IT

Hi @bmeeks,

under what tab in system logs? I got pfsense installed by our hoster and am still learning the ropes. ;)

Br,
Pascal

bmeeks

@translating-it said in custom rule does not seem to work:

Hi @bmeeks,

under what tab in system logs? I got pfsense installed by our hoster and am still learning the ropes. ;)

Br,
Pascal

From the pfSense menu, choose STATUS > SYSTEM LOGS and then the General and System tabs. Depending on how much stuff is getting logged on the system, you may have to scroll around to find the Snort entries.

It may not be liking the REJECT action. I can't recall if "active response" is enabled in the package now or not.

Translating-IT

@bmeeks

Hi,
Thanks, there I found that some preset rules caused the interface to fail loading when saving.

stupid me … reject was not the problem, I had added some pass IPs a few days ago, before adding custom rules, and not realized I set them for External Net instead of Pass List. oO

Now most of my rules work but there is some strange behaviour. The above rule catches most calls for php urls but strange enough it lets pass calls for these urls:

/admin/jQuery-File-Upload/server/php/index.php (different rules looking for /admin/ and php respectively)
/ysqladmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php (different rules looking for /phpMyAdmin/ and php respectively)

furthermore I have a rule to block url calls with .env in them (e.g. /.env) by looking for .env

same for

/_profiler/phpinfo (looking for _profiler)

/genre/yuri/ (looking for /genre/)

/0bef (looking for /0bef)

but they all go through.

Do I need to refine the rules further?

Br,
Pascal

bmeeks

You should obtain packet captures of the traffic supposedly matching the rules that are not triggering and examine the raw data. Perhaps some of the URLs are being encoded to escape certain kinds of characters. Although your examples don't contain any spaces, in an actual URL, the space character would be escaped as %20 and slashes can be escaped as %2F.

The composition of the $EXTERNAL_NET and $HOME_NET variables is also key when they are used in a rule. I've seen users make incorrect assumptions about what is in those variables and how their content influences whether a rule is triggered or not by specific traffic flows.

Translating-IT

@bmeeks
How do I get this capture? I only see an option for packets that generate an alert, but not for those which don't generate one.

bmeeks

@translating-it said in custom rule does not seem to work:

@bmeeks
How do I get this capture? I only see an option for packets that generate an alert, but not for those which don't generate one.

You don't do the captures in Snort. You do those in pfSense itself under DIAGNOSTICS > PACKET CAPTURE.