The pfSense Store

Author Topic: Snort: Using custom rules & OVPNS interfaces?  (Read 742 times)

0 Members and 1 Guest are viewing this topic.

Offline codemarauder

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Snort: Using custom rules & OVPNS interfaces?
« on: February 10, 2012, 06:15:43 am »
Hi,

I have been using Snort for quite a while now and have seen behaviour changes with package updates.

Earlier on Snort 2.9 pkg 2.0, I could create a custom rules file and copy into the interface's rules directory. The interface's rules directory used to exist even snort was stopped for that interface. I needed to copy the custom rules file again only after updating the rules from the GUI.

But with latest Snort 2.9.1 pkg 2.1.1, the rules directory is removed when I stop the snort on that interface and is recreated. So, it makes it impossible to create custom rules. I even tried disabling and enabling certain rules on vanilla emergine-policy.rules which were not retained after snort restart.

Is there a better way of creating and maintaining custom snort rules in a better way so that they are preserved over the restarts?

Another question is whether is it possible to run Snort on OVPNS interfaces? I had tried hacking the PHP code for snort_interfaces_edit.php file, adding ovpns1 statically and by-passing the function call get_configured_interfaces_with_descr(). This was not an elegant way of doing things, but I managed to run Snort on ovpns1 until the package upgrade.

I have a hub-spoke model where spokes' traffic goes through hub and I would like to monitor corporate policy violations and trojan/malware activities originating from spokes. It is not possible for me to run Snort on all of the 56 pfSense spokes as it will be difficult to manage them and moreover they are running on embedded devices with low resources.

Thanks in advance for the pointers.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3365
  • Karma: +3/-0
    • View Profile
Re: Snort: Using custom rules & OVPNS interfaces?
« Reply #1 on: February 10, 2012, 01:55:45 pm »
Make your life easy and assign the OVPNS interface! STOP doing hacks.

The custom rules is still a TODO!

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort: Using custom rules & OVPNS interfaces?
« Reply #2 on: February 10, 2012, 02:23:29 pm »
Make your life easy and assign the OVPNS interface! STOP doing hacks.

I also recommend creating the OVPNS interfaces. You will be able to do more with them: different fw rules per interface, traffic shaping to name a couple. Yeah, Traffic status/RRD Reports will have doubles but its easy to live with.

Offline codemarauder

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Re: Snort: Using custom rules & OVPNS interfaces?
« Reply #3 on: February 10, 2012, 10:45:33 pm »
Thanks ermal and Cino for the pointers.

I will assign VPN interfaces from now on and wait for customs rule functionality to be completed. Count me in for volunteering to test the modified snort package as and when updated.