This wiki is a community-maintained resource about everything there is to know about IPFire.
It is possible to create your own rules for Snort. I'm using an existing rule for IPs block from this emerging-compromised.rules taken and adapted.
1. Add new Rule under /etc/snort/rules:
2. Setting permission:
3. Edit Rule - for example TCP and UDP from External to Internal Network:
3.1. With following content:
alert udp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000002; rev:3488;)
3.2. Hint at this point, the appropriate classification is, here
4. Edit Classification.config /etc/snort/rules:
config classification: my-own, My Own, 2
5. Edit sid-msg.map under /etc/snort/rules:
1000001 || My Own Rule block IP TCP
1000002 || My Own Rule block IP UDP
6. Restart Snort and wait it is done!
7. In the WUI WUI -> Services -> Intrusion Detection System now you can aktivate your own Rule with attached ruleset
Now, incoming IP was blocked when you try it to open an example Website with example IP 123.456.789.123.
And you can find logs under IDS-Logfiles, for example:
Date: 01/22 07:36:20 Name: My own Block
Prio: 2 Typ: My Own
IP-Info: 123.456.789.123:80 -> 192.168.xyz.xyz:52399
Reference: non SID: 1000001
General Snort configuration.
AddOn Guardian configure.
About VRT Updates from Rulesets - appropriately sorted by date and versions.
This is a little Handbook to Snort for the use of rules and signatures.
Older Revisions • February 5, 2015 at 7:38 am