Re: custom rule does not seem to work

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

Hello,

        Are you getting alerts with the current rule?

To test if you have a snort or pfsense issue you can try to block the traffic with opensource snort to make sure it's 
working.

To do that.. capture some of the traffic in a pcap.. then replay it back into snort and tweak the rule till you get it 
right.


Then take that rule back to pfsense for testing.




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com
 
 

On 3/3/22, 4:47 PM, "Snort-sigs on behalf of ZOTTO Pascal" <snort-sigs-bounces () lists snort org on behalf of imap () 
translating-it com> wrote:

    Hi,
    
    I hope this is the correct way to ask questions as I can't see any forum 
    like structure to post anything.
    
    I'm quite new to Snort and got stuck with writing custom rules. I use 
    Snort on my PfSense firewall combined with pfBockerNG. I want to block 
    every attempt to reach .php pages on my server and have this rule but it 
    does not seem to catch any user looking for php pages on my site. All 
    requests go through and are found in the log files of the server but 
    none in the log files of pfsense.
    
    reject tcp $EXTERNAL_NET any -> any [80,8080,443] (content:"php"; 
    http_uri; nocase; fast_pattern:only; sid:1000001; msg:"Schwachstellen php";)
    
    I added the rule under Snort Interfaces > My Interface > WAN Rules 
    (Category custom.rules) AND saved the list.
    
    Did I miss something?
    
    Another strange thing is that everytime I save that list my interface 
    gets stopped and I need to restart it manually, is that normal behaviour?
    
    
    -- 
    
    
    Rechtlicher Hinweis: Alle unsere Übersetzungen und sonstigen 
    Dienstleistungen unterliegen unseren AGB 
    (https://www.translating-it.eu/de/agb).
    Legal Note: All our translations and other services are subject to our 
    terms and conditions (https://www.translating-it.eu/en/agb).
    
    
    Ich arbeite mit SDL Trados Studio 2021
    I work with SDL Trados Studio 2021
    Je travaille avec SDL Trados Studio 2021
    Lavoro con SDL Trados Studio 2021
    Ech schaffe mat SDL Trados Studio 2021
    Trabajo con SDL Trados Studio 2021
    Ik werk met SDL Trados Studio 2021
    
    
    Mit freundlichen Grüßen,
    Best regards,
    Cordialement,
    Cordiali saluti,
    Mat beschte Gréiss,
    Saludos Cordiales,
    Met vriendelijke groeten,
    
    
    Pascal ZOTTO
    (Proprietor)
    
    
    Translating-IT
    Hackhofergasse 5/Tor1/Top 11B/Büro 3
    A-1190 WIEN
    
    Homepage: https://www.translating-it.eu
    E-Mail: imap () translating-it com
    Tel: +43 (0)1 9972 723
    Mobil: +43 (0)699 1763 6317
    Fax: +43 (0)1 2533 0338 238
    VoIP Skype: pet-needs
    Proz: https://www.proz.com/translator/1064899
    LinkedIn: https://www.linkedin.com/in/pascal-zotto-082a2230/
    
    
    

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!