Limit to amount of custom rules in Snort?



  • I recently started working with a client that has been running Snort on a standalone box for a while. They are hoping to ditch the standalone box and start running Snort on a pfSense. Over the years they have accumulated a lot of local/custom rules.

    When I try to add those rules to the custom.rules in the GUI it uploads them and then thinks about things for a minute, then comes back and says "Custom rules validated successfully and any active Snort process on this interface has been signalled to live-load the new rules." but the custom.rules box is blank and I verified in the shell that the custom.rules file for the interface is empty as well.

    Is there a limit to the number of or size of the custom.rules? They are less than 1000, but a little bit of trial and error shows that below 500KB is ok, but above it behaves this way.

    I have only done a little bit of testing, so the size may not be the issue, but that did stand out to me. These rules seem to do fine on the standalone box, so I don't think there are any errors in the rules.

    Any idea what could be going on? Or work arounds for this?



  • Yes, we are limited right now as the number of rules we can paste in the custom tab. Bill is working on a feature that would allow us to add custom rules with URL, not only copy-paste, be patient it will be here very soon.

    F.



  • Thanks looking forward to that feature.

    Are there currently any work arounds? If I copy the file via scp and put it in the proper directory named custom.rules and then stop/start Snort on that interface will that cause it to load the custom rules and not cause other problems?



  • @pointcheck44:

    Thanks looking forward to that feature.

    Are there currently any work arounds? If I copy the file via scp and put it in the proper directory named custom.rules and then stop/start Snort on that interface will that cause it to load the custom rules and not cause other problems?

    Unfortunately, if you start/stop Snort from the GUI icons on the Snort Interfaces tab, any custom.rules file you have will be overwritten.  Do it this way instead.

    1.  Pick a name for your custom rules file (different from custom.rules, though).

    2.  Edit the file /usr/local/pkg/snort/snort_conf_template.inc and locate this section of code at the bottom of the file:

    
    # Rules Selection #
    {$selected_rules_sections}
    EOD;
    
    // End of snort.conf template code
    
    

    3.  Add in the complete path and filename of your custom rules file in the location shown below:

    
    # Rules Selection #
    {$selected_rules_sections}
    
    << put your pathname/filename here >>
    
    EOD;
    
    // End of snort.conf template code
    
    

    4.  Save the changes.  You must be sure that you always have your custom file in the place specified with the name specified (even if it is just a zero-length empty file), otherwise Snort will error out and not start.

    You will not be able to view nor edit the contents of the file in the Snort GUI.  This is simply telling the Snort binary to load this file along with the ones specified by other GUI package code.

    Bill



  • @bmeeks:

    Unfortunately, if you start/stop Snort from the GUI icons on the Snort Interfaces tab, any custom.rules file you have will be overwritten.  Do it this way instead.

    ….

    Bill

    Thanks Bill, I will give this a try. This will add the rules from the specified file to all Snort interfaces, correct? Is there a way to only add the rules in the file to one interface?



  • @pointcheck44:

    Thanks Bill, I will give this a try. This will add the rules from the specified file to all Snort interfaces, correct? Is there a way to only add the rules in the file to one interface?

    Oops…you are correct.  I forgot about that :-[.  The file will be added to all interfaces since the template file I showed being modified is used to create the [i]snort.conf for each interface.

    Add this string in front of your filename like so –

    
    # Rules Selection #
    {$selected_rules_sections}
    
    include $RULE_PATH/<< put your filename here >>
    
    EOD;
    
    // End of snort.conf template code
    
    

    You will still need the filename in all the interface directories, but just put a zero-length empty file in the directories where you don't want any custom rules used on that interface.

    Bill



  • HI Bill,
    I added the line as you suggested, but it looks like it is adding double slash in the path which is causing snort to error.

    I am getting the following error for each Snort interface after making the changes and Snort doesn't run.

    Aug 28 15:58:18	SnortStartup[79071]: Snort START for LAN - Local Network(30786_em1)...
    Aug 28 15:58:18	snort[79368]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_30786_em1//local.rules(0) Unable to open rules file "/usr/pbi/snort-amd64/etc/snort/snort_30786_em1//local.rules": No such file or directory.
    Aug 28 15:58:18	SnortStartup[83572]: Snort START for WAN - Internet(33111_em0)...
    Aug 28 15:58:18	snort[83729]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_33111_em0//local.rules(0) Unable to open rules file "/usr/pbi/snort-amd64/etc/snort/snort_33111_em0//local.rules": No such file or directory.
    Aug 28 15:58:18	SnortStartup[87630]: Snort START for OPT1 - Guest(3657_em2)...
    Aug 28 15:58:19	snort[87660]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_3657_em2//local.rules(0) Unable to open rules file "/usr/pbi/snort-amd64/etc/snort/snort_3657_em2//local.rules": No such file or directory.
    

    The relevant section of /usr/local/pkg/snort/snort_conf_template.inc (and the only part I modified):

    # Rules Selection #
    {$selected_rules_sections}
    
    include $RULE_PATH/local.rules
    
    EOD;
    
    // End of snort.conf template code
    
    ?>
    
    

    And the full path/directory listing of one of the snort interface listed above (all interface directories have a local.rules file):

    [2.2.4-RELEASE][root@pfSense.localdomain]/usr/pbi/snort-amd64/etc/snort/snort_30786_em1/rules: ls -lh
    total 13260
    -rw-r--r--  1 root  wheel   1.2K Aug 28 15:38 custom.rules
    -rw-r--r--  1 root  wheel   327K Aug 28 15:38 flowbit-required.rules
    -rw-r--r--  1 root  wheel     0B Aug 28 15:37 local.rules
    -rw-r--r--  1 root  wheel    13M Aug 28 15:38 snort.rules
    
    

    I have removed the include $RULE_PATH/local.rules from the conf file and am still unable to start Snort, getting the same errors. Not sure what that was all about. It took a few minutes, but now I am able to start Snort without errors, without the local.rules line in the conf.

    Any idea what could be going on or how to fix?


  • Moderator

    Hi pointcheck44,

    It looks like you have 3 Snort Interfaces:
    snort_30786_em1
    snort_33111_em0
    snort_3657_em2

    Take for example the first one:
    /usr/pbi/snort-amd64/etc/snort/snort_30786_em1/rules

    Make sure this folder has at minimum an empty file called local.rules, or add your rules to this particular local.rules to have Snort use your local rules. ( Repeat this for the other two interfaces so that each folder has a local.rules file)

    In the file:
    /usr/local/pkg/snort/snort_conf_template.inc

    You will need to add the following:
    include $RULE_PATH/rules/local.rules

    I think you missed to add "/rules/" to your line.

    There is a double // in the path, but it still seems to work as is.. You could probably also use the following and it should work (But didn't test that myself)
    include $RULE_PATHrules/local.rules



  • BBcan177 is correct.  Do what he suggests and that should fix your problem.  I will double-check on that double backslash thing.  Usually the system ignores the extra backslash, but it shouldn't be there.  Most likely my mistake in the Snort PHP code someplace.  I will track it down and add it to my "fix it" list.

    What is happening when you modify that template file is that whatever you put in there is added to the snort.conf file for every interface you have defined in Snort.  So you must have your local.rules file in all the Snort directories or Snort will bomb on startup and complain that it can't find the file.  That template file is exactly what its name implies – it is the template used to construct the snort.conf for every interface.  It is not interface-specific.  So if you edit it and tell the template a local.rules file exists, it must exist in every Snort interface directory tree.  If you don't want custom rules on some interfaces, just put an empty local.rules file in those interface directories.

    Bill



  • I went ahead and corrected the path in the conf file and Snort runs ok now, but it isn't alerting on anything in the local.rules files.

    I tested a few things I know should alert and they did not. Then I

    I set this as the only rule: alert icmp any any -> any any (msg:"ICMP test"; sid:10005001; rev:001;)

    And ping'd a few different sites from various devices. and I am still not seeing any alerts.

    I know you mentioned you were working on building support for this in, so if just need to site tight and wait that's fine, just wanted to see if I was still missing something



  • Can you post your snort.conf file for the interface where you want custom rules?  You can blank out IP addresses if you want to.  I need to see the paths and final file names.

    Bill



  • @bmeeks:

    Can you post your snort.conf file for the interface where you want custom rules?  You can blank out IP addresses if you want to.  I need to see the paths and final file names.

    Bill

    Below is my snort.conf for em0, the inferface I care about. It looks to me like local.rules is not being added. Do I need to manually do that? Or is adding it to /usr/local/pkg/snort/snort_conf_template.inc supposed to take care of that?

    I checked my other two interfaces and their snort.conf files don't have local.rules either.

    [2.2.4-RELEASE][root@pfSense]/usr/pbi/snort-amd64/etc/snort/snort_33111_em0: cat snort.conf 
    # snort configuration file
    # generated automatically by the pfSense subsystems do not modify manually
    
    # Define Local Network #
    ipvar HOME_NET [xxxx]
    
    # Define Rule Path #
    var RULE_PATH /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/rules
    
    # Define Servers #
    ipvar DNS_SERVERS [$HOME_NET]
    ipvar SMTP_SERVERS [$HOME_NET]
    ipvar HTTP_SERVERS [$HOME_NET]
    ipvar WWW_SERVERS [$HOME_NET]
    ipvar SQL_SERVERS [$HOME_NET]
    ipvar TELNET_SERVERS [$HOME_NET]
    ipvar SNMP_SERVERS [$HOME_NET]
    ipvar FTP_SERVERS [$HOME_NET]
    ipvar SSH_SERVERS [$HOME_NET]
    ipvar POP_SERVERS [$HOME_NET]
    ipvar IMAP_SERVERS [$HOME_NET]
    ipvar SIP_PROXY_IP [$HOME_NET]
    ipvar SIP_SERVERS [$HOME_NET]
    ipvar RPC_SERVERS [$HOME_NET]
    ipvar DNP3_SERVER [$HOME_NET]
    ipvar DNP3_CLIENT [$HOME_NET]
    ipvar MODBUS_SERVER [$HOME_NET]
    ipvar MODBUS_CLIENT [$HOME_NET]
    ipvar ENIP_SERVER [$HOME_NET]
    ipvar ENIP_CLIENT [$HOME_NET]
    ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
    
    # Define Server Ports #
    portvar DNS_PORTS [53]
    portvar SMTP_PORTS [25]
    portvar MAIL_PORTS [25,465,587,691]
    portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712]
    portvar ORACLE_PORTS [1024:]
    portvar MSSQL_PORTS [1433]
    portvar TELNET_PORTS [23]
    portvar SNMP_PORTS [161]
    portvar FTP_PORTS [21,2100,3535]
    portvar SSH_PORTS [22]
    portvar POP2_PORTS [109]
    portvar POP3_PORTS [110]
    portvar IMAP_PORTS [143]
    portvar SIP_PORTS [5060,5061,5600]
    portvar AUTH_PORTS [113]
    portvar FINGER_PORTS [79]
    portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
    portvar SMB_PORTS [139,445]
    portvar NNTP_PORTS [119]
    portvar RLOGIN_PORTS [513]
    portvar RSH_PORTS [514]
    portvar SSL_PORTS [443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920]
    portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
    portvar SHELLCODE_PORTS [!80]
    portvar SUN_RPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
    portvar DCERPC_NCACN_IP_TCP [139,445]
    portvar DCERPC_NCADG_IP_UDP [138,1024:]
    portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
    portvar DCERPC_NCACN_UDP_LONG [135,1024:]
    portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
    portvar DCERPC_NCACN_TCP [2103,2105,2107]
    portvar DCERPC_BRIGHTSTORE [6503,6504]
    portvar DNP3_PORTS [20000]
    portvar MODBUS_PORTS [502]
    portvar GTP_PORTS [2123,2152,3386]
    
    # Configure the snort decoder #
    config checksum_mode: none
    config disable_decode_alerts
    config disable_tcpopt_experimental_alerts
    config disable_tcpopt_obsolete_alerts
    config disable_ttcp_alerts
    config disable_tcpopt_alerts
    config disable_ipopt_alerts
    config disable_decode_drops
    
    # Enable the GTP decoder #
    config enable_gtp
    
    # Configure PCRE match limitations
    config pcre_match_limit: 3500
    config pcre_match_limit_recursion: 1500
    
    # Configure the detection engine #
    config detection: search-method ac-bnfa max-pattern-len 20 max_queue_events 5 search-optimize
    config event_queue: max_queue 8 log 5 order_events content_length
    
    # Configure to show year in timestamps
    config show_year
    
    # Configure protocol aware flushing #
    # For more information see README.stream5 #
    config paf_max: 16000
    
    # Configure dynamically loaded libraries
    dynamicpreprocessor directory /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/snort_dynamicpreprocessor
    dynamicengine directory /usr/pbi/snort-amd64/lib/snort_dynamicengine
    dynamicdetection directory /usr/pbi/snort-amd64/lib/snort_dynamicrules
    
    # Inline packet normalization. For more information, see README.normalize
    # Disabled since we do not use "inline" mode with pfSense
    # preprocessor normalize_ip4
    # preprocessor normalize_tcp: ips ecn stream
    # preprocessor normalize_icmp4
    # preprocessor normalize_ip6
    # preprocessor normalize_icmp6
    
    # Flow and stream #
    preprocessor frag3_global: memcap 4194304, max_frags 8192
    
    preprocessor frag3_engine: policy bsd \
    	timeout 60 \
    	min_ttl 1 \
    	detect_anomalies \
    	overlap_limit 0 \
    	min_fragment_length 0
    
    preprocessor stream5_global: \
    	track_tcp yes, \
    	max_tcp 262144, \
    	track_udp yes, \
    	max_udp 131072, \
    	track_icmp no, \
    	memcap 8388608, \
    	prune_log_max 1048576
    
    preprocessor stream5_tcp: policy bsd, \
    	timeout 30, \
    	overlap_limit 0, \
    	max_window 0, \
    	max_queued_bytes 1048576, \
    	max_queued_segs 2621, \
    	ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \
    	             139 143 161 445 513 514 587 593 691 1433 1521 1741 \
    	             2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \
    	             32770 32771 32772 32773 32774 32775 32776 32777 \
    	             32778 32779, \
    	ports both 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \
    	           591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \
    	           1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \
    	           5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \
    	           7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \
    	           7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \
    	           8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \
    	           8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \
    	           9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \
    	           33300 34412 34443 34444 41080 44440 50000 50002 51423 \
    	           55555 56712
    
    preprocessor stream5_udp: timeout 30
    
    # HTTP Inspect #
    preprocessor http_inspect: global \
    	iis_unicode_map unicode.map 1252 \
    	compress_depth 65535 \
    	decompress_depth 65535 \
    	memcap 150994944 \
    	max_gzip_mem 838860
    
    preprocessor http_inspect_server: \
    	server default \
    	profile all \
    	ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 901 1220 1414 1533 1741 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 33300 34412 34443 34444 41080 44440 50000 50002 51423 55555 56712 } \
    	server_flow_depth 65535 \
    	client_flow_depth 1460 \
    	http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    	post_depth -1 \
    	max_headers 0 \
    	max_header_length 0 \
    	max_spaces 0 \
    	enable_cookie \
    	normalize_cookies \
    	normalize_headers \
    	normalize_utf \
    	extended_response_inspection \
    	inspect_gzip \
    	unlimited_decompress \
    	normalize_javascript \
    	max_javascript_whitespaces 200
    
    # Other preprocs #
    preprocessor rpc_decode: \
    	111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 \
    	no_alert_multiple_requests \
    	no_alert_large_fragments \
    	no_alert_incomplete
    
    # Back Orifice preprocessor #
    preprocessor bo
    
    # ftp_telnet preprocessor #
    preprocessor ftp_telnet: global \
    	inspection_type stateful \
    	encrypted_traffic no \
    	check_encrypted
    
    preprocessor ftp_telnet_protocol: telnet \
    	ports { 23 } \
    	normalize \
    	detect_anomalies \
    	ayt_attack_thresh 20
    
    preprocessor ftp_telnet_protocol: ftp server default \
    	def_max_param_len 100 \
    	ports { 21 2100 3535 } \
    	telnet_cmds no \
    	ignore_telnet_erase_cmds yes \
    	ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    	ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    	ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    	ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \
    	ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    	ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    	ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    	ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    	ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    	ftp_cmds { XSEN XSHA1 XSHA256 } \
    	alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
    	alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
    	alt_max_param_len 256 { CWD RNTO } \
    	alt_max_param_len 400 { PORT } \
    	alt_max_param_len 512 { MFMT SIZE } \
    	chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    	chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    	chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    	chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    	chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    	chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    	chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
    	chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
    	cmd_validity ALLO < int [ char R int ] > \    
    	cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    	cmd_validity MACB < string > \
    	cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    	cmd_validity MODE < char ASBCZ > \
    	cmd_validity PORT < host_port > \
    	cmd_validity PROT < char CSEP > \
    	cmd_validity STRU < char FRPO [ string ] > \    
    	cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
    
    preprocessor ftp_telnet_protocol: ftp client default \
    	max_resp_len 256 \
    	telnet_cmds no \
    	ignore_telnet_erase_cmds yes \
    	bounce yes
    
    # SMTP preprocessor #
    preprocessor SMTP: \
    	ports { 25 465 587 691 } \
    	inspection_type stateful \
    	normalize cmds \
    	memcap 838860 \
    	max_mime_mem 838860 \
    	valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \
    		     NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \
    		     STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \
    		     XQUEU XSTA XTRN XUSR } \
    	normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \
    			 IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \
    			 ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \
    			 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    	max_header_line_len 1000 \ 
    	max_response_line_len 512 \
    	alt_max_command_line_len 260 { MAIL } \
    	alt_max_command_line_len 300 { RCPT } \
    	alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    	alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    	alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
    	alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
    	alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
    	xlink2state { enable } \
    	ignore_tls_data \
    	log_mailfrom \
    	log_rcptto \
    	log_filename \
    	log_email_hdrs \
    	email_hdrs_log_depth 1464 \
    	qp_decode_depth 0 \
    	b64_decode_depth 0 \
    	bitenc_decode_depth 0 \
    	uu_decode_depth 0
    
    # SSL preprocessor #
    preprocessor ssl: \
    	ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, \
    	trustservers, \
    	noinspect_encrypted 
    
    # SIP preprocessor #
    preprocessor sip: \
    	max_sessions 40000, \
    	ports { 5060 5061 5600 }, \
    	methods { invite \
    		  cancel \
    		  ack \
    		  bye \
    		  register \
    		  options \
    		  refer \
    		  subscribe \
    		  update \
    		  join \
    		  info \
    		  message \
    		  notify \
    		  benotify \
    		  do \
    		  qauth \
    		  sprack \
    		  publish \
    		  service \
    		  unsubscribe \
    		  prack }, \
    	max_call_id_len 80, \
    	max_from_len 256, \
    	max_to_len 256, \
    	max_via_len 1024, \
    	max_requestName_len 50, \
    	max_uri_len 512, \
    	ignore_call_channel, \
    	max_content_len 2048, \
    	max_contact_len 512
    
    # SSH preprocessor #
    preprocessor ssh: \
    	server_ports { 22 } \
    	autodetect \
    	max_client_bytes 19600 \
    	max_encrypted_packets 20 \
    	max_server_version_len 100 \
    	enable_respoverflow enable_ssh1crc32 \
    	enable_srvoverflow enable_protomismatch
    
    # sf Portscan #
    preprocessor sfportscan: \
    	scan_type { all } \
    	proto  { all } \
    	memcap { 10000000 } \
    	sense_level { medium } \
    	ignore_scanners { $HOME_NET }
    
    # DCE/RPC 2 #
    preprocessor dcerpc2: \
    	memcap 102400, \
    	events [co]
    
    preprocessor dcerpc2_server: default, \
    	policy WinXP, \
    	detect [smb [139,445], \
    	tcp 135, \
    	udp 135, \
    	rpc-over-http-server 593], \
    	autodetect [tcp 1025:, \
    	udp 1025:, \
    	rpc-over-http-server 1025:], \
    	smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
    
    # DNS preprocessor #
    preprocessor dns: \
    	ports { 53 } \
    	enable_rdata_overflow
    
    # POP preprocessor #
    preprocessor pop: \
    	ports { 110 } \
    	memcap 838860 \
    	qp_decode_depth 0 \
    	b64_decode_depth 0 \
    	bitenc_decode_depth 0 \
    	uu_decode_depth 0
    
    # IMAP preprocessor #
    preprocessor imap: \
    	ports { 143 } \
    	memcap 838860 \
    	qp_decode_depth 0 \
    	b64_decode_depth 0 \
    	bitenc_decode_depth 0 \
    	uu_decode_depth 0
    
    # AppID preprocessor #
    preprocessor appid: \
    	app_detector_dir /usr/pbi/snort-amd64/etc/snort/appid, \
    	memcap 268435456, \
    	app_stats_filename app-stats.log, \
    	app_stats_period 300, \
    	app_stats_rollover_size 1024000, \
    	app_stats_rollover_time 86400
    
    # Snort Output Logs #
    output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority 500K
    
    output alert_pf: /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/passlist_26891,snort2c,both,kill
    
    # Misc Includes #
    include /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/reference.config
    include /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/classification.config
    
    include /usr/pbi/snort-amd64/etc/snort/snort_33111_em0/suppwansuppress_551079ed9034c
    
    # Snort user pass through configuration
    
    # Rules Selection #
    include $RULE_PATH/snort.rules
    include $RULE_PATH/flowbit-required.rules
    include $RULE_PATH/custom.rules
    


  • The file should be there.  Post your copy of /usr/local/pkg/snort/snort_conf_template.inc.  If the line is in there properly, it should get added to the individual Snort interfaces upon each configuration rebuild.

    Bill



  • @bmeeks:

    The file should be there.  Post your copy of /usr/local/pkg/snort/snort_conf_template.inc.  If the line is in there properly, it should get added to the individual Snort interfaces upon each configuration rebuild.

    Bill

    Looking at this, is my problem the word "include" before the path? I just now noticed that was in one of your later replies, but not your original reply. I tried removing the word include and restarting Snort. It restarts ok, but no changes to the snort.conf.

    [2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /usr/local/pkg/snort/snort_conf_template.inc
    
    // This is the template used to generate the snort.conf
    // configuration file for the interface.  The contents of
    // this file are written to the snort.conf file for
    // the interface.  Key parameters are provided by the
    // included string variables which are populated by the
    // snort_generate_conf.php file.
    
    $snort_conf_text = <<<eod<br># snort configuration file
    # generated automatically by the pfSense subsystems do not modify manually
    
    # Define Local Network #
    ipvar HOME_NET [{$home_net}]
    ipvar EXTERNAL_NET [{$external_net}]
    
    # Define Rule Path #
    var RULE_PATH {$snortcfgdir}/rules
    
    # Define Servers #
    {$ipvardef}
    
    # Define Server Ports #
    {$portvardef}
    
    # Configure the snort decoder #
    config checksum_mode: {$cksumcheck}
    config disable_decode_alerts
    config disable_tcpopt_experimental_alerts
    config disable_tcpopt_obsolete_alerts
    config disable_ttcp_alerts
    config disable_tcpopt_alerts
    config disable_ipopt_alerts
    config disable_decode_drops
    
    # Enable the GTP decoder #
    config enable_gtp
    
    # Configure PCRE match limitations
    config pcre_match_limit: 3500
    config pcre_match_limit_recursion: 1500
    
    # Configure the detection engine #
    config detection: {$cfg_detect_settings}
    config event_queue: max_queue 8 log 5 order_events content_length
    
    # Configure to show year in timestamps
    config show_year
    
    # Configure protocol aware flushing #
    # For more information see README.stream5 #
    {$paf_max_pdu_config}
    
    # Configure dynamically loaded libraries
    dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
    dynamicengine directory {$snort_dirs['dynamicengine']}
    dynamicdetection directory {$snort_dirs['dynamicrules']}
    
    # Inline packet normalization. For more information, see README.normalize
    # Disabled since we do not use "inline" mode with pfSense
    # preprocessor normalize_ip4
    # preprocessor normalize_tcp: ips ecn stream
    # preprocessor normalize_icmp4
    # preprocessor normalize_ip6
    # preprocessor normalize_icmp6
    
    # Flow and stream #
    {$frag3_global}
    
    {$frag3_engine}
    
    {$stream5_global}
    
    {$stream5_tcp_engine}
    
    {$stream5_udp_engine}
    
    {$stream5_icmp_engine}
    
    # HTTP Inspect #
    {$http_inspect_global}
    
    {$http_inspect_servers}
    {$snort_preprocessors}
    {$host_attrib_config}
    
    # Snort Output Logs #
    output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alert_log_limit_size}
    {$alertsystemlog_type}
    {$snortunifiedlog_type}
    {$spoink_type}
    
    # Misc Includes #
    {$snort_misc_include_rules}
    
    {$suppress_file_name}
    
    # Snort user pass through configuration
    {$snort_config_pass_thru}
    
    # Rules Selection #
    {$selected_rules_sections}
    
    include $RULE_PATH/rules/local.rules
    
    EOD;
    
    // End of snort.conf template code
    
    ?></eod<br> 
    


  • Let's try putting a backslash in front of the "$" symbol.  I also just realized I gave you a bogus path with that extra "rules" in it.  I also forgot that PHP may try to interpret it as a string variable instead of printing it literally.  Edit the snort_conf_template.inc file so that "include" line looks like this:

    
    include \$RULE_PATH/local.rules
    
    

    Notice that "rules" is now removed from the path and we are escaping the leading "$" symbol.  Make these edits, stop and restart Snort from the INTERFACE SETTINGS tab in Snort, then look at the snort.conf file and you should see this at the bottom:

    
    # Rules Selection #
    include $RULE_PATH/snort.rules
    include $RULE_PATH/flowbit-required.rules
    include $RULE_PATH/custom.rules
    include $RULE_PATH/local.rules
    
    

    Bill



  • @bmeeks:

    Let's try putting a backslash in front of the "$" symbol.  I also just realized I gave you a bogus path with that extra "rules" in it.  I also forgot that PHP may try to interpret it as a string variable instead of printing it literally.

    Bill

    Hi Bill, that worked and the local.rules file is now showing up in my snort.conf, but when I generate some test traffic that should create an alert and a block nothing is showing up in the alerts tab or blocked tab in the web gui and there isn't any indication in the downloaded logs (neither the CSV or the pcaps).

    Should alerts for rules in the local.rules file show up normally in the web gui and logs?

    In fact, I'm not 100% sure yet, but it may be the case that nothing is alerting any longer, even rules that are in the normal rules files (both custom and downloaded) loaded through the gui. I know I was getting alerts after making the changes you specified last but before populating my local.rules file, so I am going to let it run for a bit and see if I get any other hits (to rule out problems with the traffic/rules I am testing with)

    I appreciate all your help, but since it was mentioned that this feature was going to be introduced in the next update, if you feel it is the best use of your time for me to wait I don't mind doing so. But if you want to continue to help me troubleshoot this that would also be appreciated.



  • @pointcheck44:

    Hi Bill, that worked and the local.rules file is now showing up in my snort.conf, but when I generate some test traffic that should create an alert and a block nothing is showing up in the alerts tab or blocked tab in the web gui and there isn't any indication in the downloaded logs (neither the CSV or the pcaps).

    Should alerts for rules in the local.rules file show up normally in the web gui and logs?

    In fact, I'm not 100% sure yet, but it may be the case that nothing is alerting any longer, even rules that are in the normal rules files (both custom and downloaded) loaded through the gui. I know I was getting alerts after making the changes you specified last but before populating my local.rules file, so I am going to let it run for a bit and see if I get any other hits (to rule out problems with the traffic/rules I am testing with)

    I appreciate all your help, but since it was mentioned that this feature was going to be introduced in the next update, if you feel it is the best use of your time for me to wait I don't mind doing so. But if you want to continue to help me troubleshoot this that would also be appreciated.

    I think I spoke too soon, rules in local.rules and other rules are working ok. It seems like it took a while for them to start working.

    I might be having some issues with some DNS related rules not alerting, but I'll do some more testing and look at my variables and open a new thread if need be.

    Thanks for all your help.



  • I just updated to the latest version of Snort which broke this setup.

    I tried to edit to add the additional rule file back in, but the syntax seems to have changed.

    The rules selection section now looks like:

    # Rules Selection #
    {$selected_rules_sections}
    EOD;
    

    I wasn't sure where the $selected_rules_section referenced here is. Can I still make the changes as described in this thread to add a large custom rule list?



  • @pointcheck44:

    I just updated to the latest version of Snort which broke this setup.

    I tried to edit to add the additional rule file back in, but the syntax seems to have changed.

    The rules selection section now looks like:

    # Rules Selection #
    {$selected_rules_sections}
    EOD;
    

    I wasn't sure where the $selected_rules_section referenced here is. Can I still make the changes as described in this thread to add a large custom rule list?

    Yes, the instructions in this thread will still work if followed precisely.

    Bill


Log in to reply