Snort SID Management Syntax
-
I use Snort with inline blocking, and IPS with Snort/Talos rules, which specify block actions. I would also like to use some ET categories, like ET DROP, but they only specify Alert actions. Despite the Snort UI suggesting otherwise, those do not cause blocking in Inline mode. I believe that I should use SID Mgmt to convert the required ET category rule sets to have the Drop action. I cannot find any documentation on the syntax of the entries in the SID Mods List files besides a forum post suggesting listing every single gid:sid, which is not workable due to their regular updates.
Can someone explain the allowed syntax, especially if it could be applied to a whole category, such as emerging-drop.rules etc?
Thank you,
Rafal -
There are example SID Mgmt configuration files on the SID MGMT tab that you can open and look through. To see them, click the box on the tab to enable SID MGMT and then open the dropsid.conf file to see several examples of allowed syntax. You can select rules by GID:SID, Category Name, and even use regex for more advanced matches.
If you want to change an entire category's action from the default ALERT to DROP, you can do that by simply entering the name of the category in dropsid.conf. I suggest creating your own dropsid.conf and refrain from editing the existing sample file.
There is also a Sticky Post at the top of this subforum explaining how to use the SID MGMT feature. That same process works for both Snort and Suricata. There is also quite a bit of how-to information in this Sticky Post: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.
-
@bmeeks Thank you, Bill. I cannot see dropsid.conf in the UI, see screenshot. Am I on the correct page/menu? I am using pfSense+ 25.11.1.
-
@Rafal-Lukawiecki: yes, that’s the correct tab. Not sure why the sample files are missing. Should be 4 of them if I recall correctly.
Use the Edit File function under the DIAGNOSTICS menu in pfSense and browse to /var/db/snort and see if they show up there.
-
FWIW they are there for me on 25.11.1 even after a reboot with RAM Disks enabled.
-
The physical files themselves (the sample SID Management Configuration files) are installed with the Snort package into /var/db/snort. Then, if it's a first-time green field installation, the contents of those sample files are migrated into the config.xml file of the firewall as Base64 encoded text by the post-installation script and stored there from then on.
If they are not showing for the OP, then somehow they were accidentally deleted is my best guess. The GUI will allow them to be deleted.
