Large custom rules file
-
We have an 8MB set of rules provided by our XDR vendor. We've been using the custom rules option to add these into our Suricata config but this leads to a large entry in the config.xml which then causes issues for some of the parts of pfsense that need to parse the config file. Recently it has stopped us seeing pfsense upgrades. Is there a way that we can add a custom rule file instead of pasting all the rules in?
Is the only option to add them as extra rules with a url? I suppose I could give a file:// url to that if needed.These rules also use extra address-groups and port-groups. Is there a way I can add those into the config at all?
Cheers,
Graham -
Use the option for custom rules URLs on the GLOBAL SETTINGS tab. You will need some kind of local host for the rules tarball. A simple NGINX web server on a virtual machine is perfect for that.
You could use a local script on the web server to build a
tar.gzrules tarball from your custom rules file.Currently the GUI package does not support adding custom address or port variables to the configuration.
-
@bmeeks Thanks.
Do you think an option to add custom addresses and port variables would be considered useful? I could look at contributing a change if so. -
@Graham-Collinson said in Large custom rules file:
@bmeeks Thanks.
Do you think an option to add custom addresses and port variables would be considered useful? I could look at contributing a change if so.Yes, I think that could prove useful to some users. You can find the official GitHub repo here: https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-suricata.
The two files that would need modifying are
/usr/local/www/suricata/suricata_define_vars.phpand/usr/local/pkg/suricata/suricata_generate_yaml.php. -
@bmeeks
I've had a go at adding custom variables, PR: https://github.com/pfsense/FreeBSD-ports/pull/1380
