Adding rules through putty
-
Hello all,
I'd like to add rules via putty. For example, I'd like to add a rule that blocks Drop Box. I navigate to here:
[2.1-RELEASE][root@fw1.fw.local]/usr/pbi/snort-i386/etc/snort: ls (shows the following)
classification.config snort.conf
community-rules.tar.gz.md5 snort.conf_031414
emerging.rules.tar.gz.md5 snort_10271_em0_vlan100
gen-msg.map snort_12938_pppoe0
preproc_rules snort_49044_em1_vlan300
reference.config snortrules-snapshot-2955.tar.gz.md5
rules threshold.conf
signatures unicode.mapI thought snort.conf is what I needed it is not. Rules cannot be edited. Where do I add rules?
Thanks in advance.
-
You could just change permission on the rules file but it is my limited understanding that most of the pfSense config comes from the GUI and whatever is saved in the GUI's XML files. So even if you manually save rules in your snort.conf then next time you load up your snort gui page the changes you made from a terminal won't be reflected in the GUI and if/when you save your GUI page it will overwrite your terminal changes.
At least, I'm fairly sure that's how it works for most packages. bmeeks can probably confirm/deny if that's how snort works. In other words, editing pfSense config from a terminal is generally not a good way to go about it unless you're specifically aware it will work for a particular file or package.
-
Do not edit rules from the Command Line. You can severely break pfSense if you make a mistake. All Snort Rule changes should be made from the Web GUI.
(Change the WAN to LAN depending what you are trying to achieve)
Step 1-
Snort:WAN Interface EDIT:WAN Categories and make sure that ET Policy has a checkbox. If not select and restart the interface.Step 2-
Snort:WAN Interface EDIT:WAN Rules (Select ET Policy Category)CTRL-F (search for dropbox to enable the rules that are already defined)
And enable/disable the rules this way.
If you want to create a local rule, you would enter the rule
Snort:WAN Interface EDIT:WAN Rules - Custom.rules