Snort command
-
SNORT.ORG RULES
EMERGINGTHREATS.NET RULESDo any one have a command that would let me enable all Source rules on the Wan Interface that's $EXTERNAL_NET and disable all
Source rules on Wan that's $HOME_NETAnd do the opposite on the Vlan enable all Source $HOME_NET on the Vlans Interface and disable all
Source $EXTERNAL_NET rules on Vlan InterfaceThank you
-
SNORT.ORG RULES
EMERGINGTHREATS.NET RULESDo any one have a command that would let me enable all Source rules on the Wan Interface that's $EXTERNAL_NET and disable all
Source rules on Wan that's $HOME_NETAnd do the opposite on the Vlan enable all Source $HOME_NET on the Vlans Interface and disable all
Source $EXTERNAL_NET rules on Vlan InterfaceThank you
Sorry, but the current GUI is just not set up to support that. You can, if you wish, do this manually by using a regex in an editor such as vi or your favorite editor. Your best choice is to edit the enforcing rules file. You can let Snort build the enforcing rules file, and then manually edit that file. For 2.0.3 pfSense, the correct path is /usr/local/etc/snort/snort_xxxx/rules/snort.rules. The "xxxx" will be a UUID and then the physical NIC name.
After editing the file and saving it, you would need to manually start Snort (or restart it) from the command line as follows:
/usr/local/etc/rc.d/snort.sh start (or restart)The problem with this approach is that every automatic rule update, or any change in enabled rules or preprocessors by you, results in a fresh build of the snort.rules file. This will overwrite your manual changes. You could perhaps script some hacks to work around this, but I'm curious as to why you want to modify Snort rules in this manner? What you want to do seems highly unusual.
Bill
-
snort on pfSense 2.1
can you provide me with an example script that would apply the changes to the enforcing rules file after each automatic rule update, or any change in enabled rules preprocessors.
thanks
