[Snort-sigs] Beginner Rule Problem
kodiak80 at ...2420...
Mon Oct 7 21:57:02 EDT 2013
I recently installed snort on my pfSense install to try and start learning a bit about it. I followed the guide in this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy. However, I wanted to try my hand at writing my own custom rules to understand how snort works. I added the below to the custom.rules in the pfSense GUI:
alert tcp any any -> 18.104.22.168 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)
The WAN interface comes up no problem with this rule, but as soon as I try to exercise it by browsing to www.mtbr.com the interface quits (red x next to WAN interface in snort interface list). I get the following in my system logs:
Oct 5 15:51:55 kernel: em0: promiscuous mode disabled
Oct 5 15:51:55 kernel: pid 75200 (snort), uid 0: exited on signal 11
Oct 5 15:51:37 kernel: em0: promiscuous mode enabled
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Oct 5 15:51:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
Oct 5 15:51:32 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time. I assume this must be a formatting issue with my rule or the use of custom rules all together. Any help would be appreciated. I haven't received anything back from the pfSense forum as of yet, so I'm hoping someone here can lend a hand.
snort 22.214.171.124 pgk v. 2.6.0
More information about the Snort-sigs