Editing snort rules



  • Coming soon to a pfsense near you…. easily editable snort rules :). Well, not right away, but sometime this week hopefully :). Have a few more things to work out and testing. Wanted to post a pic for all to see. Let me know of any suggestions you have or questions.




  • Great! This is something a lot of people will need to finetune their snort rules. I already had a problem where only one rule of a ruleset was hyperactive and it's so much easier to enable/disable rules this way than manually hack the rulefiles.

    Btw, how does that work with the snort rules update? Does a ruleupdate enable the complete ruleset again?



  • Yes, unfortunately snort will lose all setings when you update. In the future I might see if it will be possible to store all edited/disabled rules into a config file, and then use that to remember the user changes when a rule update is completed.

    I think it will be doable, it will just take some more time. I definitely want it to eventually remember the changes as well.



  • You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.

    Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.



  • @hoba:

    You would need to do some kind of diff between the old and the new rulesets to detect what rules were added and then add the old disable/enable information to the new file I guess.

    Or maybe even better: Only add the diffs of the new rulefile to the old one? This way the old information should stay intact.

    Yep. All this would be so much easier if the rules were in a database, and not in text files  >:(



  • I need some input. I'm working on how the rules will be edited right now. I am looking for opinions on how this should be done.

    What I had in mind was opening a small popup window that would allow the user to edit the source, source port, destination, and the destination port. Also in this popup I plan on displaying, but not let it be editable, the content of the signature, and the other goodies.

    My question is: are the majority ok with a small popup? Or should it work similar to editing the firewall rules (i.e. no popup).

    See below



  • I would prefer to not have popups and to have it similiar like the firewall edit screen.



  • @hoba:

    I would prefer to not have popups and to have it similiar like the firewall edit screen.

    I would agree…BTW, thanks for taking this on! I'm sure there are many users that will find this useful.



  • Ok will do.



  • Allright. I'm done with the code. Anyone want to tell me how I get signed up for CVS to upload files? :)



  • It doesn't work that way.  We want to see the code first, then one of the developers has to "sponsor" you.



  • Understandable, Who wants to take a look at it?



  • Attach your changes as diffs against the latest versions of the the files that you changed here.



  • If you like, email the new files to sullrich@gmail.com



  • Allright, emailing is easier than providing diffs :). Sending them right now.

    2 new files, and 6 modified under the snort package.



  • Well, I still want diffs of the "existing" files ;)



  • ok, what program do you use for the diffs? I use Examdiff



  • Unified diffs is what I seek.  Almost any diff program should do this.



  • Also, how are you dealing with the rule updates?  Are you storing the rules that the user does not want and remove them again after update?



  • I haven't addressed the rule update problem yet. Honestly, that's a mind boggling challenge. I'm not sure how soon I can have that done.

    Actually any suggestions on how to proceed with that would be appreciated :).



  • That is easy.

    You just want to store the rule description.  If the rule does not have a description then that rule cannot be saved.  Then split all the rule descriptions up and seperate with || or something similar.  Then you just read the config value and do something like:

    $disabled_rule_descs = split("||", $config['installedpackages']['snortrules']['disabled_rule_descs']);

    Then you do a striarray(I think thats the function) to check if a rule description is in the item as you traverse the files and write them back out after updating the rules.  Of course this means you'll have to hook into the update code and insert your processing code after the update process is finished.



  • Yea I had thought about that. That only applies to new rules though.

    The logic I keep running into problems with is, how do you decided if I should  keep an old rule that has been updated? Should I update with the new rule and overwrite the changes made, or keep the old rule?



  • You are basically always overwriting rules I would guess.  I am not taking into consideration the editing of rules.

    Let me chew on that, your right, the logic will be somewhat different.



  • Yea, its a tricky thing, hence why I haven't gotten to it yet ;).

    Email is coming with the files and diffs. sorry for flooding your inbox, I got trigger happy and hit the wrong folder  >:(.



  • @sullrich:

    You are basically always overwriting rules I would guess.  I am not taking into consideration the editing of rules.

    Let me chew on that, your right, the logic will be somewhat different.

    This is the only solution that I can see to this problem:

    1. If a user clicks update rules, the rules will be downloaded. All new rules will be inserted automatically. Any rules that are being changed, either in the current rule set or the new rule set, will bring up a new webpage. On this new webpage the user will be able to view his current rule, and the new rule in question. They will then be able to decide which rule to keep, the new rule, or the current rule.

    2. If autoupdate rules is checked, it will do the same thing and just prompt the user to review the rules in question at a later time.

    I think this option works best because it gives the user the ability to examine the new rule and see if anything important changed.

    What do you guys think?

    If I can ever get snort to run properly, I can start working on this.



  • I would prefer something like an option for the update process: "add and enable new rules automatically on updates" or "add new rules and disable them on updates". This way you don't have to revisit rules always when there was an update.



  • @hoba:

    I would prefer something like an option for the update process: "add and enable new rules automatically on updates" or "add new rules and disable them on updates". This way you don't have to revisit rules always when there was an update.

    I think you misunderstood the question. I was referring to existing rules, in the current installed ruleset on pfsense, that have been modified in the new ruleset the user is downloading. For example:

    Let's say that a default rule installed on pfsense looks like:  alert tcp any 80 any any Blah Blah Blah
      Now lets say the user has modified that rule later on to look like: alert tcp $Home_Net 80 any any blah blah blah

    Now lets say that snort has modified that same rule in the new ruleset to: alert udp $any 80 any any blah blah blah

    The way things are now, the users changes are going to be overwritten. Also, there is no way that pfsense can decide which of the two rules to keep. The one that the user modified, or the new one that is being downloaded. What I am suggesting that we do is give the user a choice, and be able to see the changes, before they are overwritten.

    My thoughts are this. Not every pfsense user is going to be modifying their snort rules. In this case, downloading all rules and automatically overwriting will be ok. But, if the user has modified rules, they are going to want to be notified before their changes are overwritten. Hence why I am suggesting this solution.



  • Ok, if this conflict check is only applied against rules that the user customized I agree  :)



  • @hoba:

    Attach your changes as diffs against the latest versions of the the files that you changed here.

    I guess Scott is real busy to be working on this right now, so here are the files along with the diffs in case someone else can merge them.

    For those of you who wish to try this out, simply install the .php files into your /usr/local/www folder and the .xml files to the /usr/local/pkg folder. Let me know if you have any troubles.

    This file is a zip file, rename it to .zip and extract.

    I have not had a chance to address the issue regarding saving changes made. I will get to that though, will probably be after Christmas though.



  • Please make sure that you are on the latest snort files and then send me all the new files in their entirety and I will overwrite the files in CVS with these.  I am quite busy on a major project (failover DNS) but can get these files commited.



  • Everyone, the files have been committed. If you reinstall the snort package it will install the necessary files.



  • Do I need to be running one of the more recent snapshots?

    I'm getting 404 - Not Found when I browse to http://192.168.1.2/snort_rules.php



  • No, the snort package isn't downloading the files properly. Working on it right now.



  • I sent the corrected file to Scott. Soon as he gets them committed everything should be good to go.

    Sorry for the confusion



  • Allright, everything should be good to go. Reinstall package and it will download the new files.

    FYI, if you edit any rules, they will not take effect until snort is reloaded. Right now I don't have the pages reloading snort, but I am working on that. For now, once you've edited the rules you want to, just click save under Snort Categories or settings and that will reload the rules.



  • Yep, reinstalled and looking good

    Great work sdale :)



  • Very nice job!!!!

    In the SNORT rules tab under category what is the purpose of the drop down box. If I select a different rule in the drop down nothing happens. If I go to SNORT categories tab and select a rule to view, it then goes to the rules tab and it lists it in the drop down box with the rules displayed. Does this occur for anyone else?



  • When you change the drop down menu, it should refresh with the ruleset you selected. It's working for me.



  • @ColdFusion:

    Very nice job!!!!

    In the SNORT rules tab under category what is the purpose of the drop down box. If I select a different rule in the drop down nothing happens. If I go to SNORT categories tab and select a rule to view, it then goes to the rules tab and it lists it in the drop down box with the rules displayed. Does this occur for anyone else?

    Bah, let me guess, you're still using IE? ;) Looks like IE doesn't handle the refresh properly. I'll take a look into it.



  • Well it's an IE thing…..seems to work fine in firefox.


Locked