Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Saving Snort custom rules generates error

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 1 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chowtamah
      last edited by

      I wanted to add ultrasurf alert rule to custom rules (through pfsense interface), which I copied from emerging policy rule;

      
      #from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it
      #Rule by SERPRO-Recife Security Team
      #
      alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:3;)
      
      

      Snort Version: 2.9.2.3 pkg v. 2.5.1

      I get following error when I save.

      
      Snort: LAN Category: custom.rules
      
      The following input errors were detected:
      
      Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(1) Rule options must be enclosed in '(' and ')'.
      
      

      Some time, I get this error.

      
      The following input errors were detected:
      
      Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_28842_em2/rules/custom.rules(9) Invalid configuration line: rev:3;) Search-Method = AC-BNFA-Q
      
      

      I tried using Emerging Threat Policy rule, but disabled rules gets reset on rule update everyday.
      Please help me.

      Edit:

      I tried to add the alert rule directly to custom.rules file found in the /usr/local/etc/snort/snort_28842_em2/rules/custom.rules. But when I restart the interface,  this file is overwritten by whatever we enter in the Snort GUI - rule edit page. Even if we left blank the custom rules in Snort rules edit, it will overwrite manually edited  /usr/local/etc/snort/snort_28842_em2/rules/custom.rules file and snort stops with above error.

      Any tricks!?

      2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

      Always trying to learn!!

      1 Reply Last reply Reply Quote 0
      • C
        chowtamah
        last edited by

        Ok, Here I resolved this issue.

        I created a rule file in rules folder of the interface and added

        
        include $RULE_PATH/us.rules	
        
        

        in Advanced configuration pass through.  This setup is working even when the rules are auto updated.

        2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

        Always trying to learn!!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.