Adding rules through putty

  • Hello all,

    I'd like to add rules via putty.  For example, I'd like to add a rule that blocks Drop Box.  I navigate to here:

    [2.1-RELEASE][root@fw1.fw.local]/usr/pbi/snort-i386/etc/snort: ls (shows the following)

    classification.config                      snort.conf
    community-rules.tar.gz.md5          snort.conf_031414
    emerging.rules.tar.gz.md5            snort_10271_em0_vlan100                              snort_12938_pppoe0
    preproc_rules                              snort_49044_em1_vlan300
    reference.config                            snortrules-snapshot-2955.tar.gz.md5
    rules                                          threshold.conf

    I thought snort.conf is what I needed it is not.  Rules cannot be edited.  Where do I add rules?

    Thanks in advance.

  • You could just change permission on the rules file but it is my limited understanding that most of the pfSense config comes from the GUI and whatever is saved in the GUI's XML files. So even if you manually save rules in your snort.conf then next time you load up your snort gui page the changes you made from a terminal won't be reflected in the GUI and if/when you save your GUI page it will overwrite your terminal changes.

    At least, I'm fairly sure that's how it works for most packages. bmeeks can probably confirm/deny if that's how snort works. In other words, editing pfSense config from a terminal is generally not a good way to go about it unless you're specifically aware it will work for a particular file or package.

  • Moderator

    Do not edit rules from the Command Line. You can severely break pfSense if you make a mistake. All Snort Rule changes should be made from the Web GUI.

    (Change the WAN to LAN depending what you are trying to achieve)

    Step 1-
    Snort:WAN Interface EDIT:WAN Categories and make sure that ET Policy has a checkbox. If not select and restart the interface.

    Step 2-
    Snort:WAN Interface EDIT:WAN Rules (Select ET Policy Category)

    CTRL-F (search for dropbox to enable the rules that are already defined)

    And enable/disable the rules this way.

    If you want to create a local rule, you would enter the rule

    Snort:WAN Interface EDIT:WAN Rules - Custom.rules

Log in to reply