I have been using Snort for quite a while now and have seen behaviour changes with package updates.
Earlier on Snort 2.9 pkg 2.0, I could create a custom rules file and copy into the interface's rules directory. The interface's rules directory used to exist even snort was stopped for that interface. I needed to copy the custom rules file again only after updating the rules from the GUI.
But with latest Snort 2.9.1 pkg 2.1.1, the rules directory is removed when I stop the snort on that interface and is recreated. So, it makes it impossible to create custom rules. I even tried disabling and enabling certain rules on vanilla emergine-policy.rules which were not retained after snort restart.
Is there a better way of creating and maintaining custom snort rules in a better way so that they are preserved over the restarts?
Another question is whether is it possible to run Snort on OVPNS interfaces? I had tried hacking the PHP code for snort_interfaces_edit.php file, adding ovpns1 statically and by-passing the function call get_configured_interfaces_with_descr(). This was not an elegant way of doing things, but I managed to run Snort on ovpns1 until the package upgrade.
I have a hub-spoke model where spokes' traffic goes through hub and I would like to monitor corporate policy violations and trojan/malware activities originating from spokes. It is not possible for me to run Snort on all of the 56 pfSense spokes as it will be difficult to manage them and moreover they are running on embedded devices with low resources.
Thanks in advance for the pointers.