• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Editing snort rules

Scheduled Pinned Locked Moved pfSense Packages
40 Posts 6 Posters 14.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y Offline
    yoda715
    last edited by Nov 27, 2006, 11:06 AM

    Coming soon to a pfsense near you…. easily editable snort rules :). Well, not right away, but sometime this week hopefully :). Have a few more things to work out and testing. Wanted to post a pic for all to see. Let me know of any suggestions you have or questions.
    snort_rules2.JPG
    snort_rules2.JPG_thumb
    snort_rules2.JPG_thumb

    1 Reply Last reply Reply Quote 0
    • H Offline
      hoba
      last edited by Nov 27, 2006, 11:18 AM

      Great! This is something a lot of people will need to finetune their snort rules. I already had a problem where only one rule of a ruleset was hyperactive and it's so much easier to enable/disable rules this way than manually hack the rulefiles.

      Btw, how does that work with the snort rules update? Does a ruleupdate enable the complete ruleset again?

      1 Reply Last reply Reply Quote 0
      • Y Offline
        yoda715
        last edited by Nov 27, 2006, 11:22 AM

        Yes, unfortunately snort will lose all setings when you update. In the future I might see if it will be possible to store all edited/disabled rules into a config file, and then use that to remember the user changes when a rule update is completed.

        I think it will be doable, it will just take some more time. I definitely want it to eventually remember the changes as well.

        1 Reply Last reply Reply Quote 0
        • H Offline
          hoba
          last edited by Nov 27, 2006, 11:27 AM

          You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.

          Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.

          1 Reply Last reply Reply Quote 0
          • Y Offline
            yoda715
            last edited by Nov 27, 2006, 11:31 AM

            @hoba:

            You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.

            Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.

            Yep. All this would be so much easier if the rules were in a database, and not in text files  >:(

            1 Reply Last reply Reply Quote 0
            • Y Offline
              yoda715
              last edited by Nov 28, 2006, 9:27 AM Nov 28, 2006, 6:38 AM

              I need some input. I'm working on how the rules will be edited right now. I am looking for opinions on how this should be done.

              What I had in mind was opening a small popup window that would allow the user to edit the source, source port, destination, and the destination port. Also in this popup I plan on displaying, but not let it be editable, the content of the signature, and the other goodies.

              My question is: are the majority ok with a small popup? Or should it work similar to editing the firewall rules (i.e. no popup).

              See below

              1 Reply Last reply Reply Quote 0
              • H Offline
                hoba
                last edited by Nov 28, 2006, 11:05 AM

                I would prefer to not have popups and to have it similiar like the firewall edit screen.

                1 Reply Last reply Reply Quote 0
                • U Offline
                  unforeseen
                  last edited by Nov 28, 2006, 2:24 PM

                  @hoba:

                  I would prefer to not have popups and to have it similiar like the firewall edit screen.

                  I would agree…BTW, thanks for taking this on! I'm sure there are many users that will find this useful.

                  1 Reply Last reply Reply Quote 0
                  • Y Offline
                    yoda715
                    last edited by Nov 28, 2006, 5:51 PM

                    Ok will do.

                    1 Reply Last reply Reply Quote 0
                    • Y Offline
                      yoda715
                      last edited by Nov 29, 2006, 5:54 PM

                      Allright. I'm done with the code. Anyone want to tell me how I get signed up for CVS to upload files? :)

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        sullrich
                        last edited by Nov 29, 2006, 6:24 PM

                        It doesn't work that way.  We want to see the code first, then one of the developers has to "sponsor" you.

                        1 Reply Last reply Reply Quote 0
                        • Y Offline
                          yoda715
                          last edited by Nov 29, 2006, 6:43 PM

                          Understandable, Who wants to take a look at it?

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            hoba
                            last edited by Nov 29, 2006, 7:36 PM

                            Attach your changes as diffs against the latest versions of the the files that you changed here.

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              sullrich
                              last edited by Nov 29, 2006, 8:50 PM

                              If you like, email the new files to sullrich@gmail.com

                              1 Reply Last reply Reply Quote 0
                              • Y Offline
                                yoda715
                                last edited by Nov 29, 2006, 8:56 PM

                                Allright, emailing is easier than providing diffs :). Sending them right now.

                                2 new files, and 6 modified under the snort package.

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  sullrich
                                  last edited by Nov 29, 2006, 8:58 PM

                                  Well, I still want diffs of the "existing" files ;)

                                  1 Reply Last reply Reply Quote 0
                                  • Y Offline
                                    yoda715
                                    last edited by Nov 29, 2006, 9:04 PM

                                    ok, what program do you use for the diffs? I use Examdiff

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      sullrich
                                      last edited by Nov 29, 2006, 9:15 PM

                                      Unified diffs is what I seek.  Almost any diff program should do this.

                                      1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        sullrich
                                        last edited by Nov 29, 2006, 9:16 PM

                                        Also, how are you dealing with the rule updates?  Are you storing the rules that the user does not want and remove them again after update?

                                        1 Reply Last reply Reply Quote 0
                                        • Y Offline
                                          yoda715
                                          last edited by Nov 29, 2006, 9:25 PM Nov 29, 2006, 9:21 PM

                                          I haven't addressed the rule update problem yet. Honestly, that's a mind boggling challenge. I'm not sure how soon I can have that done.

                                          Actually any suggestions on how to proceed with that would be appreciated :).

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 40
                                          • First post
                                            20/40
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received