How can add custom download rules from Spamhaus for IDS/IPS?

[nzkiwi68]

I've been a long time fan of Spamhaus and they offer a high quality Botnet block list in Snort format.

I've converted to OPNsense and I am loving it, very cool.

*** How can I add the Spamhaus Snort BCL list to OPNsense?

I can't see anyway to add my own custom rule set to be downloaded.

References;
https://www.spamhaus.org/bcl/
https://www.spamhaustech.com/

First 2 lines snip from the download URL;

Code Select Expand

################################################################
# Spamhaus Botnet Controller List (BCL) (2006202330)           #
# Last updated: 2020-06-20T23:30:02Z                           #
#                                                              #
# For questions please refer to https://www.spamhaus.org/bcl/  #
################################################################
alert tcp $HOME_NET any -> 1.234.108.31 any (msg:"Spamhaus Botnet C&C List: njrat botnet controller [SBL487201]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL487201; classtype:trojan-activity; sid:900487201; rev:1;)
alert tcp $HOME_NET any -> 2.56.8.117 any (msg:"Spamhaus Botnet C&C List: AZORult botnet controller [SBL480199]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL480199; classtype:trojan-activity; sid:900480199; rev:1;)

Example of the download URL;
(with the actual account name and API key changed for privacy)

Code Select Expand

https://pub-api.spamhaus.org/api/snort/?account=xxxxxxxxxx&key=yyyyyyyyyyyy

[nzkiwi68]

I followed this post;
https://forum.opnsense.org/index.php?topic=7209.0

But, it didn't work and doesn't add the custom rules.

[allebone]

I just want to follow this in case someone gets it working.

[hushcoden]

I just want to follow this in case someone gets it working.

+1

[Anael]

Any update about it ?  :o