[Snort-sigs] Beginner Rule Problem

Kodiak80 kodiak80 at ...2420...
Thu Oct 10 14:08:19 EDT 2013


I finally got my issue resolved with help over on the pfSense forums.  In case anyone else runs into a similar problem, I was missing a classification in my rule.  Once I added a 'classtype: inappropriate-content', the rule worked as expected.  Not sure if that is a general Snort requirement, or unique to the pfSense Snort install.  Thanks to those offering help.

On Oct 7, 2013, at 8:05 PM, Keith D. <keith2781 at ...144...> wrote:

> 
> Looks like you are missing the closing " in your message.
> 
> 
> 
> 
> ------------------------------
> On Mon, Oct 7, 2013 7:57 PM MDT Kodiak80 wrote:
> 
>> I recently installed snort on my pfSense install to try and start learning a bit about it.  I followed the guide in this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy.  However, I wanted to try my hand at writing my own custom rules to understand how snort works.  I added the below to the custom.rules in the pfSense GUI:
>> 
>> alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)
>> 
>> The WAN interface comes up no problem with this rule, but as soon as I try to exercise it by browsing to www.mtbr.com the interface quits (red x next to WAN interface in snort interface list).  I get the following in my system logs:
>> 
>> Oct 5 15:51:55	kernel: em0: promiscuous mode disabled
>> Oct 5 15:51:55	kernel: pid 75200 (snort), uid 0: exited on signal 11
>> Oct 5 15:51:37	kernel: em0: promiscuous mode enabled
>> Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
>> Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
>> Oct 5 15:51:36	php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
>> Oct 5 15:51:32	php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
>> Oct 5 15:51:32	php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
>> 
>> I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time.  I assume this must be a formatting issue with my rule or the use of custom rules all together.  Any help would be appreciated.  I haven't received anything back from the pfSense forum as of yet, so I'm hoping someone here can lend a hand.
>> 
>> pfSense 2.1-release
>> snort 2.9.4.6 pgk v. 2.6.0
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 





More information about the Snort-sigs mailing list