Snort - need to sync the <rule_sid_off>between systems</rule_sid_off>



  • Hi All,

    I'm taking care of a few pfSense firewalls and one of the most annoying tasks is to keep the disabled rules in sync.
    Basically what happens is that some rules (mainly ET) throw false positives and I disable the rule as soon as I find out. I am taking a note of the SID and I am doing the same with the other pfSense Firewalls or I'm collecting a few of these SIDs and from time to time I'm logging on to all the pfSenses, run a backup of the package config, copy the <rule_sid_off>part from the reference firewall to the package backups from the other pfSenses (replacing the existing <rule_sid_off>in the backup file) and then restoring the package backup (very annoying).

    Other than the rules the systems are pretty different so I'm too afraid to use the integrated "Snort Package XMLRPC Sync" feature since I don't know what it will actually sync between the systems and I can't select. I really want to sync only the <rule_sid_off>and nothing else.

    What I'm requesting:
    Either detailed options on what XMLRPC Sync will actually sync (like check boxes for various config parts of snort)
    or
    An easy way to export and import a list of the disabled rules.

    Is there something already in place that I could use?

    Bill,
    If there is code change required I guess you will be most likely the one looking into it - of course there will be some "thank you". I thought about a 100 USD Amazon voucher.</rule_sid_off></rule_sid_off></rule_sid_off>



  • Right now the XMLRPC sync is an "all or nothing" process in terms of the Snort configuration.  It either syncs the whole configuration, or none of it.  I've never contemplated syncing only parts of the configuration.  To be honest, the original sync code for the Snort package was contributed by the user @marcelloc here on the Forums.

    Off hand I don't know if a partial sync is possible or not.  I need to dig into the pfSense XMLRPC sync functions to see if pieces of the config.xml can be synchronized.

    Bill


  • Moderator

    @bmeeks:

    Right now the XMLRPC sync is an "all or nothing" process in terms of the Snort configuration.  It either syncs the whole configuration, or none of it.  I've never contemplated syncing only parts of the configuration.  To be honest, the original sync code for the Snort package was contributed by the user @marcelloc here on the Forums.

    Off hand I don't know if a partial sync is possible or not.  I need to dig into the pfSense XMLRPC sync functions to see if pieces of the config.xml can be synchronized.

    Bill

    Hi Bill,

    This is possible, I've done this already in the pfBlockerNG package.

    You can review pfblockerng.inc  Lines: 2968-2998
    Code to collect specific XML from the config.xml file.

    and pfblockerng_sync.xml    Lines: 165-170
    Added a Checkbox to enable/disable the XMLRPC sync of a specific part of the config.xml file.

    Hope this helps!



  • Thanks for the tips.  I will put this on my feature update TODO list.

    Bill



  • @bmeeks:

    Thanks for the tips.  I will put this on my feature update TODO list.

    Bill

    Great! Thank you!



  • Hi there,

    i hope this failure will be fixed soon:

    Warning: require(/usr/local/pkg/snort/snort_defs.inc): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 40

    Fatal error: require(): Failed opening required '/usr/local/pkg/snort/snort_defs.inc' (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') in /usr/local/pkg/snort/snort.inc on line 40
    pfSense (pfSense) 2.2.4-RELEASE amd64 Sat Jul 25 19:57:37 CDT 2015

    thnx a lot



  • @foresthus:

    Hi there,

    i hope this failure will be fixed soon:

    Warning: require(/usr/local/pkg/snort/snort_defs.inc): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 40

    Fatal error: require(): Failed opening required '/usr/local/pkg/snort/snort_defs.inc' (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') in /usr/local/pkg/snort/snort.inc on line 40
    pfSense (pfSense) 2.2.4-RELEASE amd64 Sat Jul 25 19:57:37 CDT 2015

    thnx a lot

    How is this error related to the topic? Start your own thread with info on when this error happens etc.



  • @fragged:

    @foresthus:

    Hi there,

    i hope this failure will be fixed soon:

    Warning: require(/usr/local/pkg/snort/snort_defs.inc): failed to open stream: No such file or directory in /usr/local/pkg/snort/snort.inc on line 40

    Fatal error: require(): Failed opening required '/usr/local/pkg/snort/snort_defs.inc' (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg') in /usr/local/pkg/snort/snort.inc on line 40
    pfSense (pfSense) 2.2.4-RELEASE amd64 Sat Jul 25 19:57:37 CDT 2015

    thnx a lot

    How is this error related to the topic? Start your own thread with info on when this error happens etc.

    OK. I opened a new thread:
    https://forum.pfsense.org/index.php?topic=98729.msg549901#msg549901



  • @ConfusedUser:

    What I'm requesting:
    Either detailed options on what XMLRPC Sync will actually sync (like check boxes for various config parts of snort)
    or
    An easy way to export and import a list of the disabled rules.

    Bill,
    If there is code change required I guess you will be most likely the one looking into it - of course there will be some "thank you". I thought about a 100 USD Amazon voucher.

    I am just manually copying <rule_sid_off>between systems at the moment too, so I'd love a way to be able to automate this.

    @ConfusedUser: Have you opened a bounty thread for this? I'll match your 100 USD bounty, if one exists.</rule_sid_off>



  • @ajrg:

    @ConfusedUser: Have you opened a bounty thread for this? I'll match your 100 USD bounty, if one exists.

    No, I didn't start a bounty thread. But I guess Bill knows my offer won't be an empty promise…

    Bill,
    Do you want me to open a bounty thread for this feature request?


Log in to reply