Snort mailing list archives

Beginner Rule Problem

From: Kodiak80 <kodiak80 () gmail com>
Date: Mon, 7 Oct 2013 19:57:02 -0600

I recently installed snort on my pfSense install to try and start learning a bit about it. I followed the guide in
this forum for basic initial setup and added the Snort VRT rules, using the 'connectivity' IPS policy. However, I
wanted to try my hand at writing my own custom rules to understand how snort works. I added the below to the
custom.rules in the pfSense GUI:

alert tcp any any -> 64.14.253.214 80 (msg: "Web Traffic mtbr.com"; sid: 10001;)

The WAN interface comes up no problem with this rule, but as soon as I try to exercise it by browsing to www.mtbr.com
the interface quits (red x next to WAN interface in snort interface list). I get the following in my system logs:

Oct 5 15:51:55 kernel: em0: promiscuous mode disabled
Oct 5 15:51:55 kernel: pid 75200 (snort), uid 0: exited on signal 11
Oct 5 15:51:37 kernel: em0: promiscuous mode enabled
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Building new sig-msg.map file for WAN...
Oct 5 15:51:36 php: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Oct 5 15:51:32 php: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...
Oct 5 15:51:32 php: /snort/snort_interfaces.php: Toggle (snort starting) for WAN(WAN)...

I've tried a couple different rules with traffic I can easily generate to test, but this is the same result each time.
I assume this must be a formatting issue with my rule or the use of custom rules all together. Any help would be
appreciated. I haven't received anything back from the pfSense forum as of yet, so I'm hoping someone here can lend a
hand.

pfSense 2.1-release
snort 2.9.4.6 pgk v. 2.6.0
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Beginner Rule Problem Kodiak80 (Oct 07)
- Re: Beginner Rule Problem Joel Esler (Oct 08)
- Re: Beginner Rule Problem Joel Esler (Oct 08)
- <Possible follow-ups>
- Re: Beginner Rule Problem Kodiak80 (Oct 10)
- Re: Beginner Rule Problem wkitty42 (Oct 10)
  - Re: Beginner Rule Problem Joel Esler (Oct 11)