Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding snort rule to suppress list via SSH

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 821 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      willdashwood
      last edited by

      Hello,

      I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep

      grep IP /var/log/snort/snort_igb163179/*

      So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so?

      I can see our suppress list is here:

      /usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6

      So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way?

      Thanks

      Will

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @willdashwood:

        Hello,

        I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep

        grep IP /var/log/snort/snort_igb163179/*

        So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so?

        I can see our suppress list is here:

        /usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6

        So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way?

        Thanks

        Will

        Sorry, but no better way.  You have the basic mechanics for part of the process down, but your solution will not be satisfactory in the longer term.

        That's because there is one big problem there is no solution for.  The text file you found is recreated each time a SAVE operation occurs within the Snort GUI.  It is also recreated each time the rules are updated by the automatic update process.  This occurs by the GUI calling a custom PHP function within the Snort GUI code called "sync_snort_package_config()".  So changing that text file will prove to be very short-lived.

        You can restart Snort easily by executing the rc script and passing it either "stop" and then "start", or just "restart".  The script lives here:

        
/usr/local/etc/rc.d/snort.sh

        So something like this after updating that text file you found:

        
/usr/local/etc/rc.d/snort.sh restart

        As mentioned above, this is really not a long-term solution.  The actual content of the Suppress List is stored as Base64 data within the config.xml file containing the entire pfSense configuration.  The contents of that data is what gets actually updated during the SAVE operation, then it is decoded and written to the text file you referenced.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.