Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Test Snort Rule

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fahrenhe1t
      last edited by

      Hi,

      I have pfSense 2.3, and loaded Snort 3.2.9.1_12 with Snort VRT rules enabled on the WAN interface.  I'm trying to write a custom rule to help me validate whether Snort is working or not.  I created a text file called cmd.exe on an external host.  Inside the file is the string "uid=0(root) gid=0(root) groups=0(root)".  I wrote a custom rule under Snort Interfaces > WAN > WAN Rules > custom.rules,  to try and detect this:

      
      activate tcp any any -> any any (content:"root"; msg:"Test Root Detection"; sid:1000001;)
      
      

      I make sure Snort is running on the interface, then I try and download the file on a Linux box.  I check the Alerts and no alert is generated.  Also, it appears to shutdown Snort; it stops running in Interfaces, and I get this error in the System Logs:

      
      Apr 28 19:06:12 	kernel 		igb0: promiscuous mode disabled
      Apr 28 19:06:12 	kernel 		pid 77189 (snort), uid 0: exited on signal 11
      
      

      Is my rule incorrect or am I putting the rule in the wrong spot?  Thanks!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Your rule is missing the proper action keyword and a classification parameter.  The valid action keywords are generally "alert" or "drop".  On pfSense, "alert" is the only valid keyword.  The classification is a parameter string obtained from the classification.config file.

        One easy way to test Snort is to enable the Emerging-Threats Scan rules, then visit one of the online scanner web sites and have it scan your public IP for exposed services.  That should trigger Snort.  You can do the same by scanning your WAN IP (assuming that's where Snort is installed) with nmap.

        Saves you the problem of writing a custom rule.  Snort is quite unforgiving with syntax errors as you see.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.