Snort Rules Configuration - Backup / Duplication?



  • Good Evening All,

    I'm in the process of setting up an additional pfSense firewall for a remote location.  Using a backup/restore is not an option.  Is there a way to copy the enabled/disabled Snort rule set so as to avoid having to go through the rather painful process of enabling & disabling rules one at a time?  I did look around the forum for a XMLRPC Sync guide but could not find enough to figure it out.

    Any thoughts or guidance on how to get the snort rule set configuration from one pfSense box to another would be greatly appreciated.



  • You can do this by manually editing the config.xml file from each firewall.  If you are medium-fluent in XML, then it's a piece of cake.

    Open the copy of config.xml from the "source" firewall and find the <installedpackages>tag, then within that tag set find <snortglobal>.

    The <snortglobal>section contains the entire Snort configuration for the box.  The tags within <snortglobal>should be fairly self-documenting.  The <rule>tags delimit your configured Snort interfaces.  Within the <rule>tags are all the settings for a given interface.

    The enabled rule set names are within the <rulesets>tags.  So copy the contents of this section into the same tag in the "destination" firewall's config.xml.

    Manually forced-on or forced-off rules are contained within these two tags:

    <rule_sid_on>= manually enabled rules
    <rule_sid_off>= manually disabled rules

    If you have manually adjusted any rule settings, then copy the two tag sections above from "source" to "destination".  Once done copying the relevant settings from "source" to "destination", restore the destination firewall's edited config.xml and you should be good to go.

    Bill</rule_sid_off></rule_sid_on></rulesets></rule></rule></snortglobal></snortglobal></snortglobal></installedpackages>



  • Good Evening,

    I have tried this process a couple of times, but each time I save the configuration file changes, pfsense restores the backup configuration file.  Is there a trick to this?

    Best-

    Darren



  • Which file are you editing?  When I directly edit the config, I use the file /conf/config.xml.  I navigate to the file using Diagnostics > Edit File.  It is living dangerously to directly edit the production file, but since mine is a home system I take the risk.  I don't know why your changes are getting overwritten.  I've never had that happen to me.

    I think there are some hoops to jump through if you import or copy in a new config.xml file itself from a remote source.  The contents of the file are saved in a large global memory array.  Perhaps something is triggering a "dump" of the in-memory data back to the file and thus overwriting the changes you just made.

    Bill


Log in to reply