Snort raw rule downloads

  • When the pfSense Snort package downloads rule updates, does it save the raw files (either the tarball it downloads from Snort/ET, or the extracted files from those tarballs) somewhere accessible via SSH?

    I find that sometimes it's easier to grep a rule file for a specific rule to see references, etc. than it is to do so through the web gui.

  • The entire tarball is not saved (it is downloaded to and extracted in a folder under /tmp and then deleted).  However, the individual rules files (category files) extracted from the raw tarball are save here on the firewall:  /usr/pbi/snort-amd64/etc/snort/rules.  Change the amd64 to i386 if you have a 32-bit install.