This is an old revision of the document!

PFSense - Suricata - Custom Rules

WARNING: Every custom rules must have a unique SID!!!

Make sure you pick a starting SID number that does not conflict with any existing SIDs from other enabled rules.

Usually from 1000000.

To create custom passlist rules go to the RULES tab for the interface, choose CUSTOM RULES in the Category drop-down and then type in the rules you need.

Services > Suricata > Interfaces > INTERFACE > INTERFACE Rules > custom.rules

There are plenty of examples on the web.

You can add restrictions by protocol, port and source or destination IP address.

WARNING: Just really think about what your rule is allowing when creating it.

alert tcp [$EXTERNAL_NET,!8.8.8.8] any -> $HOME_NET [80,443]

alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;)

pass ip 192.168.1.22/32 80 <- any any (msg: "Pass List Entry - allow all traffic to/from 192.168.1.22/32"; sid:1000006;

References

https://www.cnblogs.com/lsgxeva/p/11392627.html

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html