Quick fix for pfSense/Snort enable/disable rules bug

Jack-Benny Persson

Originaly posted in the pfSense forum on 2012-04-17

I started using the Snort package for pfSense 2.0.1 (amd64) some days ago but as many others I noticed the problem with the enable/disabled rules resetting after updating the rules.
So last night I started working on a quick fix for it, and came up with a nice and working solution. My solution involves enabling and disabling specific rules in a oinkmaster.conf file, so it's not a GUI solution. But at least now it's possible to have your own set of enabled/disabled rules.
Anyway, here we go. I'll take it step by step here.

First of all, you'll need to install wget (so that oinkmaster.pl will work). For pfSense 2.0.1 amd64 use the following command (change URL according your platform and version).

fetch http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.2-release/ftp/wget-1.12_2.tbz

pkg_add wget-1.12_2.tbz

Next step is to create a /etc/oinkmaster.conf file. Mine looks like this (change the Snort URL to include your oinkcode and change the snapshot version if you're a basic user or subscriber, look at the list on snort.org, for example use snapshot-2905 if you don't have a paid subscription).
Note: Change your enabled/disabled rule at the bottom, this is just my own example, tweak to your needs.

############################# 
# Location of rules archive #
#############################

url = http://www.snort.org/pub-bin/oinkmaster.cgi/YOURCODEHERE/snortrules-snapshot-2922.tar.gz

#########################
# System configurationi #
#########################
path = /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbini
use_external_bins = 1
tmpdir = /tmp
umask = 0027

########################
# Extra configurationi #
########################
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$

# Sanity check
use_path_checks = 1

##################
# Rules handling #
##################

# Files to skip
skipfile local.rules
skipfile deleted.rules
skipfile snort.conf
# skipfile threshold.conf

# SIDs to enable
enablesid 19559, 20120

# SIDs to disable
disablesid 19110, 19139, 19140, 19138, 19155, 19137, 19157, 19168, 19209, 19826

Last step is to create a small shell script which will handle the update and coping of rules etc. Every time the script is being run it will download a new set of rules, enable/disable the rules you've chosen in oinkmaster.conf, copy the files to /usr/local/etc/snort/rules and /usr/local/etc/snort/snort_YOURNIC/rules.
Note: You need to change the NIC variable!

#!/bin/sh
#################################################
# Solution to pfSense/Snort rule disable/enable #
# Written by Jack-Benny                         #
#################################################

# Define your Snort interface
SNORT_NIC="47399_em0"

# Check if tmp dir exists, and if not, create it
if [ ! -d "/tmp/snort_rules" ]; then
/bin/mkdir /tmp/snort_rules
fi

# Time do download our new snort rules
/usr/local/bin/oinkmaster.pl -o /tmp/snort_rules

# Lets begin with adding the snort_ prefix to our rules
cd /tmp/snort_rules
for f in *
do /bin/mv "$f" "snort_$f"
done

# We must add a whitespace after every "#" to make it compatible
/usr/bin/sed -i "" -e 's/^\#alert/\# alert/g' snort_*

# Now move them all to the correct locations
/bin/mv /tmp/snort_rules/snort_* /usr/local/etc/snort/rules/ 
/bin/cp /usr/local/etc/snort/rules/snort_* \
/usr/local/etc/snort/snort_${SNORT_NIC}/rules/

# And finally, restart Snort
/usr/local/etc/rc.d/snort.sh start

echo "Your new rules have been downloaded and Snort has been restarted"

If you'd like automatic updates, just put the shell script in your crontab and let it run every 12 hour or so. Here is an example of my crontab.
Don't forget to turn of automatic updates in the WebGUI

0 */12 * * * /root/update_rules.sh > /root/last_rule_update.log 2>&1

I hope this could be useful to someone out there!

Cheers and have a nice day!
And thanks to all the pfSense developer and to the Snort package maintainer! I really like the Snort package, so keep up the good work!