Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort command

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ToxIcon
      last edited by

      SNORT.ORG RULES
      EMERGINGTHREATS.NET RULES

      Do any one have a command that would let me enable all Source rules on the Wan Interface that's $EXTERNAL_NET and disable all
      Source rules on Wan that's $HOME_NET

      And do the opposite on the Vlan enable all Source $HOME_NET on the Vlans Interface and disable all
      Source $EXTERNAL_NET rules on Vlan Interface

      Thank you

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @ToxIcon:

        SNORT.ORG RULES
        EMERGINGTHREATS.NET RULES

        Do any one have a command that would let me enable all Source rules on the Wan Interface that's $EXTERNAL_NET and disable all
        Source rules on Wan that's $HOME_NET

        And do the opposite on the Vlan enable all Source $HOME_NET on the Vlans Interface and disable all
        Source $EXTERNAL_NET rules on Vlan Interface

        Thank you

        Sorry, but the current GUI is just not set up to support that.  You can, if you wish, do this manually by using a regex in an editor such as vi or your favorite editor.  Your best choice is to edit the enforcing rules file.  You can let Snort build the enforcing rules file, and then manually edit that file.  For 2.0.3 pfSense, the correct path is /usr/local/etc/snort/snort_xxxx/rules/snort.rules.  The "xxxx" will be a UUID and then the physical NIC name.

        After editing the file and saving it, you would need to manually start Snort (or restart it) from the command line as follows:

        /usr/local/etc/rc.d/snort.sh start (or restart)
        

        The problem with this approach is that every automatic rule update, or any change in enabled rules or preprocessors by you, results in a fresh build of the snort.rules file.  This will overwrite your manual changes.  You could perhaps script some hacks to work around this, but I'm curious as to why you want to modify Snort rules in this manner?  What you want to do seems highly unusual.

        Bill

        1 Reply Last reply Reply Quote 0
        • T
          ToxIcon
          last edited by

          snort on pfSense 2.1

          can you provide me with an example script that would apply the changes to the enforcing rules file after each automatic rule update, or any change in enabled rules preprocessors.

          thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.