[Snort-users] HOMENET IP exclusions

Nogwai nogwai at ...15539...
Tue Mar 13 10:09:41 EDT 2012


Thanks, I think I got the logic.

Then, looking at the manual, event suppression seems to do the trick.
I've configured the following "suppress events" :

suppress gen_id0, sig_id 0, track by_dst, ip 10.9.0.0/16
suppress gen_id0, sig_id 0, track by_src, ip 10.9.0.0/16
(since I don't want to see any event from this subnet)

but I'm facing another error after implementation :

FATAL ERROR: /etc/snort/snort.eth1:X.conf(139) suppress could not be
created.

Google-ing the error don't give so much results. After some attempts, it
seems that Snort don't want the options "track by_dst" and "track by_src"
for the same subnet/ip.

Any hint?

Regards,
Nogwai



2012/3/13 Jason Wallace <jason.r.wallace at ...11827...>

> You can't use !$HOME_NET because the lager network space of HOME_NET
> [10.0.0.0/8,99.0.0.0/16] becomes the NOT space. You can't say
> !10.0.0.0/8 and !10.9.0.0/16.
>
> On Tue, Mar 13, 2012 at 5:02 AM, Nogwai <nogwai at ...15539...> wrote:
> > EXTERNAL_NET is set to :
> >
> > var EXTERNAL_NET !$HOME_NET
> >
> > I've read somewhere that exclusions in the HomeNet are kinda incompatible
> > with External_Net. Is it the problem ?
> > If yes, and assuming I set my variables like this :
> >
> > var HOMENET [10.0.0.0/8,99.0.0.0/16]
> > var EXTERNAL_NET !$HOME_NET ![10.9.0.0/16,99.0.17.0/24]
> >
> > I'll NOT see alerts coming from excluded IP, right?
> >
> >
> > 2012/3/12 Jason Wallace <jason.r.wallace at ...11827...>
> >>
> >> What is $EXTERNAL_NET set to?
> >>
> >> On Mon, Mar 12, 2012 at 1:07 PM, Nogwai <nogwai at ...15539...> wrote:
> >> > Hi there,
> >> >
> >> > I am trying to exclude some IP/IP range from HOMENET variables.
> Basicly,
> >> > I
> >> > don't want to see any alerts coming from some single IP(s) and
> complete
> >> > IP
> >> > pools.
> >> > So I've configured my HOMENET like this (in snort.ethX.conf) :
> >> >
> >> > var HOMENET [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]>
> ]
> >> >
> >> > It appears that I have a lot of traffic coming from interface eth1. So
> >> > I've
> >> > managed to split the single snort process in three separate process
> >> > running
> >> > on interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets on
> >> > each).
> >> > And replicate the HOMENET variable in each snort.eth1:x.conf.
> >> >
> >> > Looking at snort process, HOMENET variable seems to be not taken from
> my
> >> > snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault
> >> > OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort
> 2.9.0.4).
> >> > So I've modified the DEBIAN_SNORT_HOME_NET to look like this :
> >> >
> >> >
> >> > DEBIAN_SNORT_HOME_NET="
> 10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]>
> "
> >> >
> >> > And then, Snort don't want to restart :
> >> >
> >> > FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP ranges
> >> > that
> >> > are equal to or are more-general than non-negated
> >> > ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
> >> >
> >> >
> >> > Looking for some hints, I came across this
> >> > (http://seclists.org/snort/2010/q3/674), this
> >> > (http://seclists.org/snort/2009/q3/267) and read README.variables.
> But
> >> > still
> >> > lost. Don't know if the problem is Debian or Snort related...
> >> >
> >> > Actually, I play with CIDR to exclude the above IP inside the
> >> > snort.debian.conf file. But this is a bit painful to maintain and I
> >> > received
> >> > some new exclusions to add to the list every week. I'll appreciate
> some
> >> > light on this :)
> >> >
> >> >
> >> > Greetings,
> >> > Nogwai
> >> >
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Try before you buy = See our experts in action!
> >> > The most comprehensive online learning library for Microsoft
> developers
> >> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> MVC3,
> >> > Metro Style Apps, more. Free future releases when you subscribe now!
> >> > http://p.sf.net/sfu/learndevnow-dev2
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort
> >> > news!
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120313/9665631a/attachment.html>


More information about the Snort-users mailing list