error when adding custom snort rule

markus_muehleisen · Dec 5, 2024, 1:47 PM

Hello to all,

I hope this is the right place to ask my question - if not, plesase tell me where the question has to be posted.

Situation:
I try to add a rule to pfsense / snort in order to monitore smtp communication trials from intern to wan. To do this I tried to add this custom rule to the relevant wan network interface in snort:

alert tcp 10.0.0.0/8 ![10.0.0.0/8] any -> 192.168.101.0 [25,465,587] (msg:"Verbindungsversuch zu externem SMTP-Server via Telekom1"; sid:100000; classtype:attempted-recon; priority:2; )

When I click save I get this error message:

The following input errors were detected:

Custom rules have errors: Fatal Error, Quitting..>> ^

Question:
what am I doing wrong here?

Thanks for any hint.
Markus

bmeeks · Dec 5, 2024, 2:37 PM

Your rule has a syntax error. I believe this is an invalid address specification:

10.0.0.0/8 ![10.0.0.0/8]

And you should post questions related to the IDS/IPS packages (Snort and Suricata) in the IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.