Re: Beginner Rule Problem

[Kodiak80 <kodiak80 () gmail com>]

I finally got my issue resolved with help over on the pfSense forums.  In case anyone else runs into a similar problem, 
I was missing a classification in my rule.  Once I added a 'classtype: inappropriate-content', the rule worked as 
expected.  Not sure if that is a general Snort requirement, or unique to the pfSense Snort install.  Thanks to those 
offering help.

On Oct 7, 2013, at 8:05 PM, Keith D. <keith2781 () yahoo com> wrote:

> Looks like you are missing the closing " in your message.
>
>
>
>
> ------------------------------
> On Mon, Oct 7, 2013 7:57 PM MDT Kodiak80 wrote:
>
> > I recently installed snort on my pfSense install to try and start learning a bit about it.  I followed the guide in 
> > this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy.  However, I 
> > wanted to try my hand at writing my own custom rules to understand how snort works.  I added the below to the 
> > custom.rules in the pfSense GUI:
> >
> > alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)
> >
> > The WAN interface comes up no problem with this rule, but as soon as I try to exercise it by browsing to 
> > www.mtbr.com the interface quits (red x next to WAN interface in snort interface list).  I get the following in my 
> > system logs:
> >
> > Oct 5 15:51:55       kernel: em0: promiscuous mode disabled
> > Oct 5 15:51:55       kernel: pid 75200 (snort), uid 0: exited on signal 11
> > Oct 5 15:51:37       kernel: em0: promiscuous mode enabled
> > Oct 5 15:51:36       php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
> > Oct 5 15:51:36       php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
> > Oct 5 15:51:36       php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
> > Oct 5 15:51:32       php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
> > Oct 5 15:51:32       php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...
> >
> > I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each 
> > time.  I assume this must be a formatting issue with my rule or the use of custom rules all together.  Any help 
> > would be appreciated.  I haven't received anything back from the pfSense forum as of yet, so I'm hoping someone here 
> > can lend a hand.
> >
> > pfSense 2.1-release
> > snort 2.9.4.6 pgk v. 2.6.0
> > ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!