Editing snort rules
-
Coming soon to a pfsense near you…. easily editable snort rules :). Well, not right away, but sometime this week hopefully :). Have a few more things to work out and testing. Wanted to post a pic for all to see. Let me know of any suggestions you have or questions.
-
Great! This is something a lot of people will need to finetune their snort rules. I already had a problem where only one rule of a ruleset was hyperactive and it's so much easier to enable/disable rules this way than manually hack the rulefiles.
Btw, how does that work with the snort rules update? Does a ruleupdate enable the complete ruleset again?
-
Yes, unfortunately snort will lose all setings when you update. In the future I might see if it will be possible to store all edited/disabled rules into a config file, and then use that to remember the user changes when a rule update is completed.
I think it will be doable, it will just take some more time. I definitely want it to eventually remember the changes as well.
-
You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.
Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.
-
You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.
Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.
Yep. All this would be so much easier if the rules were in a database, and not in text files >:(
-
I need some input. I'm working on how the rules will be edited right now. I am looking for opinions on how this should be done.
What I had in mind was opening a small popup window that would allow the user to edit the source, source port, destination, and the destination port. Also in this popup I plan on displaying, but not let it be editable, the content of the signature, and the other goodies.
My question is: are the majority ok with a small popup? Or should it work similar to editing the firewall rules (i.e. no popup).
See below
-
I would prefer to not have popups and to have it similiar like the firewall edit screen.
-
I would prefer to not have popups and to have it similiar like the firewall edit screen.
I would agree…BTW, thanks for taking this on! I'm sure there are many users that will find this useful.
-
Ok will do.
-
Allright. I'm done with the code. Anyone want to tell me how I get signed up for CVS to upload files? :)
-
It doesn't work that way. We want to see the code first, then one of the developers has to "sponsor" you.
-
Understandable, Who wants to take a look at it?
-
Attach your changes as diffs against the latest versions of the the files that you changed here.
-
If you like, email the new files to sullrich@gmail.com
-
Allright, emailing is easier than providing diffs :). Sending them right now.
2 new files, and 6 modified under the snort package.
-
Well, I still want diffs of the "existing" files ;)
-
ok, what program do you use for the diffs? I use Examdiff
-
Unified diffs is what I seek. Almost any diff program should do this.
-
Also, how are you dealing with the rule updates? Are you storing the rules that the user does not want and remove them again after update?
-
I haven't addressed the rule update problem yet. Honestly, that's a mind boggling challenge. I'm not sure how soon I can have that done.
Actually any suggestions on how to proceed with that would be appreciated :).