Saving Snort custom rules generates error



  • I wanted to add ultrasurf alert rule to custom rules (through pfsense interface), which I copied from emerging policy rule;

    
    #from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it
    #Rule by SERPRO-Recife Security Team
    #
    alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:3;)
    
    

    Snort Version: 2.9.2.3 pkg v. 2.5.1

    I get following error when I save.

    
    Snort: LAN Category: custom.rules
    
    The following input errors were detected:
    
    Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(1) Rule options must be enclosed in '(' and ')'.
    
    

    Some time, I get this error.

    
    The following input errors were detected:
    
    Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(9) Invalid configuration line: rev:3;) Search-Method = AC-BNFA-Q
    
    

    I tried using Emerging Threat Policy rule, but disabled rules gets reset on rule update everyday.
    Please help me.

    Edit:

    I tried to add the alert rule directly to custom.rules file found in the /usr/local/etc/snort/snort_28842_em2/rules/custom.rules. But when I restart the interface,  this file is overwritten by whatever we enter in the Snort GUI - rule edit page. Even if we left blank the custom rules in Snort rules edit, it will overwrite manually edited  /usr/local/etc/snort/snort_28842_em2/rules/custom.rules file and snort stops with above error.

    Any tricks!?



  • Ok, Here I resolved this issue.

    I created a rule file in rules folder of the interface and added

    
    include $RULE_PATH/us.rules	
    
    

    in Advanced configuration pass through.  This setup is working even when the rules are auto updated.


Locked