[Snort-users] defining $HOME_NET

Phil Wood cpw at ...440...
Thu Oct 19 23:58:58 EDT 2000


I just had a thought (to which my dad always said, "treat it kindly, it's
in a strange place").

1. With a subset of the ruleset's (those all lined up in the same direction,
external to internal), like:

alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/SourceRoute-ICMP-lssr"; ipopts: lsrr ;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/SMTP-exploit869a"; flags: AP; content: "|0a|C|3a|daemon|0a|R";)

2. And a snort running on a transit network where your internal, cidr, and non
cidr networks are behind one or more of the routers;

3. And, EXTERNAL and INTERNAL are set to "any";

4. You could set the BPF filter (-F some-bpf-filter) to just feed snort the
uni-directional traffic that it understands, like so:

[contents of some-bpf-filter]

(tcp or udp or icmp) and dst net (192.158.114.0/23 or 172.16.114.96/31 or 10.0.0.0/8)

You would just need one instance of snort and one rule for all the nets you
have, whatever the type!

Any takers?

Phil

On Thu, Oct 19, 2000 at 06:12:55PM -0500, Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> If the homenets are not adjacent, you can always use 3 separate rule
> sets (that's how I'm running it). It's quite an overhead, though, so
> an option to define IP ranges would be nice, as in:  
> 
> var INTERNAL_NET	10.10.10.5:10.10.10.55
> or
> var INTERNAL_NET  10.10.10.0/24, 10.10.30.0/24
> 
> 
> Regards,
> Frank
> 
> - -----Original Message-----
> From: Erik Engberg [mailto:Erik.Engberg at ...511...]
> Sent: Thursday, October 19, 2000 3:08 PM
> To: 'Steve Halligan'; 'Joanne Treurniet';
> Snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] defining $HOME_NET
> 
> 
> or /12 or /14, or /15 etc
> As long as the subnets are adjacent to each other you should have
> little trouble.. the problems start when they aren´t...
>  
> On one installation I have snort sniffing on 5 class C nets that are
> adjacent
> xxx.xxx.240.0 - xxx.xxx.245.0
>  
> But I have to use a /21 netmask to cover this in "one" net. 
> xxx.xxx.240.0/21
>  
> Of course this means that xxx.xxx.246.0/24 and xxx.xxx.247.0/24 are
> considered my home_net as well but there´s no traffic whatsoever from
> those nets I can take that problem, although it wouldn´t be fun if
> they started messing with me or an attacker found that out. Damage
> wouldn´t be to great but visibility is hampered and you have to take
> that into consideration... 
>  
> Best thing is that I have control and I can always deny those nets in
> my border router or firewall. Problem solved (although not so
> "neat").
>  
> When are we getting support for multiple home_nets? Are we getting
> it?
>  
> /Erik
>  
>  
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME encrypted email preferred.
> 
> iQA/AwUBOe9/90RKym0LjhFcEQI14wCgkXtlnuoNX6Ku7N5ZEsvV9uEktnMAnjC2
> 3wBf3rSn3kK4gR/ha8wZ4X5W
> =oAEq
> -----END PGP SIGNATURE-----
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list