[Snort-users] Question about !HOME_NET

Nick Baronian kvetch at ...11827...
Wed Oct 11 15:50:47 EDT 2006


I think my rule is right but for some reason it doesn't create an
alert file and it is logging every packet.

Local.rules is the only rule and that is
alert ip !$HOME_NET any -> $EXTERNAL_NET any (msg:"External IP detected";)

My snort.conf looks like
var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan
preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes
preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }
preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow
 ruletype holycrap
 {
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
 }
include classification.config
include reference.config
include $RULE_PATH/local.rules

I am starting snort by using the following -
# snort -e -i eth1 -l /var/log/snort -D -s -k none &
I tossed the -k in there because I ran across that phantom pcap chksum
bug thingie last week when playing around with Snort on Fedora and
this is a RHWS4 box.

As soon as I start Snort it starts writing a snort.log and no alert
file.  The snort.log quickly becomes huge and appears to be logging
everything.  It contains stuff like
15:18:28.420291 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0
15:18:28.420301 IP 64.86.105.235.rtsp > 172.30.19.40.4089: tcp 1380
15:18:28.420322 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0
15:18:28.420331 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0
15:18:28.420340 IP 10.20.208.28.4641 > 64.86.105.230.http: tcp 0
15:18:28.420349 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0
15:18:28.420415 IP 172.16.25.27.syslog > 172.16.15.17.syslog: UDP, length 78

If my rule is right, the snort.log shouldn't have any of the
172.30/16's, nor any 10.20.x.x addresses in it, right?
Does anyone see what I am doing wrong?

Thanks,
Nick




More information about the Snort-users mailing list