Test Snort Rule

  • Hi,

    I have pfSense 2.3, and loaded Snort with Snort VRT rules enabled on the WAN interface.  I'm trying to write a custom rule to help me validate whether Snort is working or not.  I created a text file called cmd.exe on an external host.  Inside the file is the string "uid=0(root) gid=0(root) groups=0(root)".  I wrote a custom rule under Snort Interfaces > WAN > WAN Rules > custom.rules,  to try and detect this:

    activate tcp any any -> any any (content:"root"; msg:"Test Root Detection"; sid:1000001;)

    I make sure Snort is running on the interface, then I try and download the file on a Linux box.  I check the Alerts and no alert is generated.  Also, it appears to shutdown Snort; it stops running in Interfaces, and I get this error in the System Logs:

    Apr 28 19:06:12 	kernel 		igb0: promiscuous mode disabled
    Apr 28 19:06:12 	kernel 		pid 77189 (snort), uid 0: exited on signal 11

    Is my rule incorrect or am I putting the rule in the wrong spot?  Thanks!

  • Your rule is missing the proper action keyword and a classification parameter.  The valid action keywords are generally "alert" or "drop".  On pfSense, "alert" is the only valid keyword.  The classification is a parameter string obtained from the classification.config file.

    One easy way to test Snort is to enable the Emerging-Threats Scan rules, then visit one of the online scanner web sites and have it scan your public IP for exposed services.  That should trigger Snort.  You can do the same by scanning your WAN IP (assuming that's where Snort is installed) with nmap.

    Saves you the problem of writing a custom rule.  Snort is quite unforgiving with syntax errors as you see.


Log in to reply