Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not starting with simple custom rule

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 825 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      godtor
      last edited by

      Hello,

      i have installed snort, afther the installation all ok, snort start without any problems so tried to add a simple custom rule: alert icmp any any -> any any (msg: "ICMP Packet found";)

      After adding this rule snort will not start anymore. In the system log there is only: php-fpm[50464]: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN…

      Any help would be appreciated, thanks.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Missing some parts of the rule.. Ensure you use a SID number that is not used.. Keeping it in the 9000000's should be safe, also you can change the classtype to any other existing classtype as you wish…

        alert icmp any any -> any any (msg: "ICMP Packet found"; classtype:attempted-recon; sid:9000001; rev:1;)

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • G
          godtor
          last edited by

          Thanks for this, now the rule works great :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.