Snort enable\disable rules



  • Hi

    When I enable or disable concrete rule, it works. But after restart of interface this same rule is getting back to previous state…

    I have tryied to save before turn on and off interface, filter reload, try to change rules on turned on or off interface without success.

    Finally I deleted interfaces and configured from start.

    For me it's a bug...

    My snort version is 2.9.1 pkg v. 2.0
    Pfsense 2.0 x86 with the newest firmware.

    Regards
    Di4



  • Same here, but to me, it worked if I edited rules before enabling interface.

    2.0-RELEASE (amd64)
    built on Tue Sep 13 17:33:40 EDT 2011
    4 gb ram

    snort 2.9.1 pkg v. 2.0
    2 interfaces



  • I noticed the option on the global settings tab "Keep snort settings after deinstall" maybe this might help?



  • Maybe using a Suppress list is the way to go  ;)



  • @sekular:

    I noticed the option on the global settings tab "Keep snort settings after deinstall" maybe this might help?

    Unfortunatelly it's not… :/



  • @RonpfS:

    Maybe using a Suppress list is the way to go  ;)

    It's not exactly what we'd like to achieve. More unecessary rules in memory takes memory of course and cause more work for pfsense.
    Every connection have to be compare to more rules, necessary and unecessary rules…

    Any other suggestions? :)

    Regards
    Di4



  • I agree it is not ideal. For the time being you can disable autoupdate and use pulledpork from another machine to update and tune your rules (fine if you have a big list of sigs to disable done already, takes a while) and then upload them using scp/sftp to your pfsense box. They will thus be tuned before any updates (I think) unless something else aside from the update resets them to their default states.

    This is why I haven't bothered with blocking till I can get them properely tuned and it can mean massive performance increases for snort doing some tuning. Hopefuly someone will have a way to either use oinkmaster/pulledpork remember or have GUi remember your changes



  • @kevross33:

    I agree it is not ideal. For the time being you can disable autoupdate and use pulledpork from another machine to update and tune your rules (fine if you have a big list of sigs to disable done already, takes a while) and then upload them using scp/sftp to your pfsense box. They will thus be tuned before any updates (I think) unless something else aside from the update resets them to their default states.

    This is why I haven't bothered with blocking till I can get them properely tuned and it can mean massive performance increases for snort doing some tuning. Hopefuly someone will have a way to either use oinkmaster/pulledpork remember or have GUi remember your changes

    Are you doing it manually?

    Is that possible to automate that process?

    How do you know what new rules appears in free Sourcefire rules (I can't find that kind of information on Sourcefire website…)?

    Regards
    Di4



  • You can see VRT changes here http://blog.snort.org/, here http://www.snort.org/snort-rules/#rules or here http://www.snort.org/vrt/advisories.xml/

    You can see emergingthreats (open & pro) changes here http://www.emergingthreatspro.com/blog/

    I am not sure about automating it to actually put it on your pfsense. Most sure way may be just to run pulledpork and sftp them over and restart. At least with pulledpork with enable and disable you can disable CVEs (i..e just disable all CVEs before a certain year if you wanted), rulesets etc. So once you go through the rules you can easily run it. It does output only 1 file for each (normal snort rules and shared object rule file) which I can see as being both good but i find it annoying and a  little less refined, especially in tuning as you could just cat an individual rule file or open it and see what is enabled/disabled (presence or lack of # to comment it out) and then make the adjustment where needed in pulledpork.

    Hopefully maintainer of the package will work on the updating so it remembers your changes either from GUI or provides you access to config file for disable, enable rules.


Log in to reply