Adding snort rule to suppress list via SSH



  • Hello,

    I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep

    grep IP /var/log/snort/snort_igb163179/*

    So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so?

    I can see our suppress list is here:

    /usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6

    So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way?

    Thanks

    Will



  • @willdashwood:

    Hello,

    I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep

    grep IP /var/log/snort/snort_igb163179/*

    So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so?

    I can see our suppress list is here:

    /usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6

    So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way?

    Thanks

    Will

    Sorry, but no better way.  You have the basic mechanics for part of the process down, but your solution will not be satisfactory in the longer term.

    That's because there is one big problem there is no solution for.  The text file you found is recreated each time a SAVE operation occurs within the Snort GUI.  It is also recreated each time the rules are updated by the automatic update process.  This occurs by the GUI calling a custom PHP function within the Snort GUI code called "sync_snort_package_config()".  So changing that text file will prove to be very short-lived.

    You can restart Snort easily by executing the rc script and passing it either "stop" and then "start", or just "restart".  The script lives here:

    
    /usr/local/etc/rc.d/snort.sh
    
    

    So something like this after updating that text file you found:

    
    /usr/local/etc/rc.d/snort.sh restart
    
    

    As mentioned above, this is really not a long-term solution.  The actual content of the Suppress List is stored as Base64 data within the config.xml file containing the entire pfSense configuration.  The contents of that data is what gets actually updated during the SAVE operation, then it is decoded and written to the text file you referenced.

    Bill


Log in to reply