• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Saving Snort custom rules generates error

Scheduled Pinned Locked Moved pfSense Packages
2 Posts 1 Posters 5.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chowtamah
    last edited by Sep 13, 2012, 7:20 AM Sep 13, 2012, 5:04 AM

    I wanted to add ultrasurf alert rule to custom rules (through pfsense interface), which I copied from emerging policy rule;

    
    #from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it
    #Rule by SERPRO-Recife Security Team
    #
    alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:3;)
    
    

    Snort Version: 2.9.2.3 pkg v. 2.5.1

    I get following error when I save.

    
    Snort: LAN Category: custom.rules
    
    The following input errors were detected:
    
    Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(1) Rule options must be enclosed in '(' and ')'.
    
    

    Some time, I get this error.

    
    The following input errors were detected:
    
    Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(9) Invalid configuration line: rev:3;) Search-Method = AC-BNFA-Q
    
    

    I tried using Emerging Threat Policy rule, but disabled rules gets reset on rule update everyday.
    Please help me.

    Edit:

    I tried to add the alert rule directly to custom.rules file found in the /usr/local/etc/snort/snort_28842_em2/rules/custom.rules. But when I restart the interface,  this file is overwritten by whatever we enter in the Snort GUI - rule edit page. Even if we left blank the custom rules in Snort rules edit, it will overwrite manually edited  /usr/local/etc/snort/snort_28842_em2/rules/custom.rules file and snort stops with above error.

    Any tricks!?

    2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

    Always trying to learn!!

    1 Reply Last reply Reply Quote 0
    • C
      chowtamah
      last edited by Sep 18, 2012, 5:26 AM

      Ok, Here I resolved this issue.

      I created a rule file in rules folder of the interface and added

      
      include $RULE_PATH/us.rules	
      
      

      in Advanced configuration pass through.  This setup is working even when the rules are auto updated.

      2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

      Always trying to learn!!

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received