Snort mailing list archives
Re: custom rule does not seem to work
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 3 Mar 2022 23:10:18 +0000
Hello, Are you getting alerts with the current rule? To test if you have a snort or pfsense issue you can try to block the traffic with opensource snort to make sure it's working. To do that.. capture some of the traffic in a pcap.. then replay it back into snort and tweak the rule till you get it right. Then take that rule back to pfsense for testing. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com On 3/3/22, 4:47 PM, "Snort-sigs on behalf of ZOTTO Pascal" <snort-sigs-bounces () lists snort org on behalf of imap () translating-it com> wrote: Hi, I hope this is the correct way to ask questions as I can't see any forum like structure to post anything. I'm quite new to Snort and got stuck with writing custom rules. I use Snort on my PfSense firewall combined with pfBockerNG. I want to block every attempt to reach .php pages on my server and have this rule but it does not seem to catch any user looking for php pages on my site. All requests go through and are found in the log files of the server but none in the log files of pfsense. reject tcp $EXTERNAL_NET any -> any [80,8080,443] (content:"php"; http_uri; nocase; fast_pattern:only; sid:1000001; msg:"Schwachstellen php";) I added the rule under Snort Interfaces > My Interface > WAN Rules (Category custom.rules) AND saved the list. Did I miss something? Another strange thing is that everytime I save that list my interface gets stopped and I need to restart it manually, is that normal behaviour? -- Rechtlicher Hinweis: Alle unsere Übersetzungen und sonstigen Dienstleistungen unterliegen unseren AGB (https://www.translating-it.eu/de/agb). Legal Note: All our translations and other services are subject to our terms and conditions (https://www.translating-it.eu/en/agb). Ich arbeite mit SDL Trados Studio 2021 I work with SDL Trados Studio 2021 Je travaille avec SDL Trados Studio 2021 Lavoro con SDL Trados Studio 2021 Ech schaffe mat SDL Trados Studio 2021 Trabajo con SDL Trados Studio 2021 Ik werk met SDL Trados Studio 2021 Mit freundlichen Grüßen, Best regards, Cordialement, Cordiali saluti, Mat beschte Gréiss, Saludos Cordiales, Met vriendelijke groeten, Pascal ZOTTO (Proprietor) Translating-IT Hackhofergasse 5/Tor1/Top 11B/Büro 3 A-1190 WIEN Homepage: https://www.translating-it.eu E-Mail: imap () translating-it com Tel: +43 (0)1 9972 723 Mobil: +43 (0)699 1763 6317 Fax: +43 (0)1 2533 0338 238 VoIP Skype: pet-needs Proz: https://www.proz.com/translator/1064899 LinkedIn: https://www.linkedin.com/in/pascal-zotto-082a2230/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- custom rule does not seem to work ZOTTO Pascal (Mar 03)
- Re: custom rule does not seem to work Al Lewis (allewi) via Snort-sigs (Mar 03)