Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Rules Configuration - Backup / Duplication?

    IDS/IPS
    2
    4
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darrenkdean
      last edited by

      Good Evening All,

      I'm in the process of setting up an additional pfSense firewall for a remote location.  Using a backup/restore is not an option.  Is there a way to copy the enabled/disabled Snort rule set so as to avoid having to go through the rather painful process of enabling & disabling rules one at a time?  I did look around the forum for a XMLRPC Sync guide but could not find enough to figure it out.

      Any thoughts or guidance on how to get the snort rule set configuration from one pfSense box to another would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can do this by manually editing the config.xml file from each firewall.  If you are medium-fluent in XML, then it's a piece of cake.

        Open the copy of config.xml from the "source" firewall and find the <installedpackages>tag, then within that tag set find <snortglobal>.

        The <snortglobal>section contains the entire Snort configuration for the box.  The tags within <snortglobal>should be fairly self-documenting.  The <rule>tags delimit your configured Snort interfaces.  Within the <rule>tags are all the settings for a given interface.

        The enabled rule set names are within the <rulesets>tags.  So copy the contents of this section into the same tag in the "destination" firewall's config.xml.

        Manually forced-on or forced-off rules are contained within these two tags:

        <rule_sid_on>= manually enabled rules
        <rule_sid_off>= manually disabled rules

        If you have manually adjusted any rule settings, then copy the two tag sections above from "source" to "destination".  Once done copying the relevant settings from "source" to "destination", restore the destination firewall's edited config.xml and you should be good to go.

        Bill</rule_sid_off></rule_sid_on></rulesets></rule></rule></snortglobal></snortglobal></snortglobal></installedpackages>

        1 Reply Last reply Reply Quote 0
        • D
          darrenkdean
          last edited by

          Good Evening,

          I have tried this process a couple of times, but each time I save the configuration file changes, pfsense restores the backup configuration file.  Is there a trick to this?

          Best-

          Darren

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Which file are you editing?  When I directly edit the config, I use the file /conf/config.xml.  I navigate to the file using Diagnostics > Edit File.  It is living dangerously to directly edit the production file, but since mine is a home system I take the risk.  I don't know why your changes are getting overwritten.  I've never had that happen to me.

            I think there are some hoops to jump through if you import or copy in a new config.xml file itself from a remote source.  The contents of the file are saved in a large global memory array.  Perhaps something is triggering a "dump" of the in-memory data back to the file and thus overwriting the changes you just made.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post