Saving Snort custom rules generates error
I wanted to add ultrasurf alert rule to custom rules (through pfsense interface), which I copied from emerging policy rule;
#from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it #Rule by SERPRO-Recife Security Team # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:3;)
Snort Version: 18.104.22.168 pkg v. 2.5.1
I get following error when I save.
Snort: LAN Category: custom.rules The following input errors were detected: Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(1) Rule options must be enclosed in '(' and ')'.
Some time, I get this error.
The following input errors were detected: Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(9) Invalid configuration line: rev:3;) Search-Method = AC-BNFA-Q
I tried using Emerging Threat Policy rule, but disabled rules gets reset on rule update everyday.
Please help me.
I tried to add the alert rule directly to custom.rules file found in the /usr/local/etc/snort/snort_28842_em2/rules/custom.rules. But when I restart the interface, this file is overwritten by whatever we enter in the Snort GUI - rule edit page. Even if we left blank the custom rules in Snort rules edit, it will overwrite manually edited /usr/local/etc/snort/snort_28842_em2/rules/custom.rules file and snort stops with above error.
Ok, Here I resolved this issue.
I created a rule file in rules folder of the interface and added
in Advanced configuration pass through. This setup is working even when the rules are auto updated.