[Snort-sigs] Beginner Rule Problem

Kodiak80 kodiak80 at ...2420...
Mon Oct 7 21:57:02 EDT 2013


I recently installed snort on my pfSense install to try and start learning a bit about it.  I followed the guide in this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy.  However, I wanted to try my hand at writing my own custom rules to understand how snort works.  I added the below to the custom.rules in the pfSense GUI:

alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)

The WAN interface comes up no problem with this rule, but as soon as I try to exercise it by browsing to www.mtbr.com the interface quits (red x next to WAN interface in snort interface list).  I get the following in my system logs:

Oct 5 15:51:55	kernel: em0: promiscuous mode disabled
Oct 5 15:51:55	kernel: pid 75200 (snort), uid 0: exited on signal 11
Oct 5 15:51:37	kernel: em0: promiscuous mode enabled
Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Oct 5 15:51:32	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
Oct 5 15:51:32	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...

I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time.  I assume this must be a formatting issue with my rule or the use of custom rules all together.  Any help would be appreciated.  I haven't received anything back from the pfSense forum as of yet, so I'm hoping someone here can lend a hand.

pfSense 2.1-release
snort 2.9.4.6 pgk v. 2.6.0



More information about the Snort-sigs mailing list