[Snort-users] Homenet Question

Joel Esler jesler at ...1935...
Fri May 4 18:12:33 EDT 2012


Do you have a use for that preprocessor?  If not, you can disable it. 

Check out the docs on the preprocessors at http://manual.snort.org or in the doc/ directory of the Snort Tarball. 

--
Joel Esler
Sent from my.. NO ONE CARES

On May 4, 2012, at 1:15 PM, "Gibson, Samuel" <gibsons at ...15616...> wrote:

> I forgot to mention the Sensitive_data threshold exceeded alert (GID: 139 Sig: 1) that I assume gets triggered due to the amount of sensitive_data email alerts.  Sorry if I should have made this another thread.
> 
> ________________________________________
> From: Gibson, Samuel [gibsons at ...15616...]
> Sent: Friday, May 04, 2012 12:08 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Homenet Question
> 
> Thanks for your help.  This is sort of a follow-on question.
> 
> I have updated EXTERNAL_NET to !$HOME_NET and that seems to have helped with some of the rules but, am I correct in thinking it should stop the sensitive_data email alerts between internal resources and VPN clients?
> 
> # alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)
> 
> I get loads of these due to a large volume of emails to VPN clients.
> ________________________________________
> From: Gibson, Samuel [gibsons at ...15616...]
> Sent: Wednesday, May 02, 2012 4:40 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Homenet Question
> 
> Thanks guys.  I will try setting EXTERNAL_NET to !$HOME_NET.
> 
> 
> ________________________________________
> From: Ian Bowers [iggdawg at ...11827...]
> Sent: Wednesday, May 02, 2012 12:11 PM
> To: Adam Gardner
> Cc: Gibson, Samuel; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Homenet Question
> 
> Alternately, if you have some reason for using "any" as EXTERNAL_NET, you can change the variable in the rule from EXTERNAL_NET to !$HOME_NET.  If you use PulledPork, place this in modifysid.conf :
> 
> 2009702 "$EXTERNAL_NET" "!$HOME_NET"
> 
> However I imagine similar issue will come up in other rules.  Adam's solution is probably the best way to go.
> 
> -Ian
> 
> On Wed, May 2, 2012 at 10:13 AM, Adam Gardner <adamgardner502 at ...11827...<mailto:adamgardner502 at ...11827...>> wrote:
> Since your $EXTERNAL_NET is set to "any" 10.0.0.0/8<http://10.0.0.0/8> is included in that.  You'll probably want to set $EXTERNAL_NET to !$HOME_NET.
> 
> 
> On Wed, May 2, 2012 at 9:46 AM, Gibson, Samuel <gibsons at ...15616...<mailto:gibsons at ...15616...>> wrote:
> Hello,
> 
> I am having an interesting issue with the homenet.  I have it setup in snort.conf as follows:
> 
> ipvar HOME_NET [10.0.0.0/8<http://10.0.0.0/8>]
> 
> ipvar EXTERNAL_NET any
> 
> ipvar DNS_Servers [10.1.2.3,10.1.2.4]
> 
> Which we have subnetted into internal networks similar to 10.1.2.x, 10.2.3.x and so on.  However our VPN clients use 10.1.20.x/24.
> 
> Whenever a VPN Client registers itself in DNS after connecting, I get an ET POLICY DNS Update From External net  (Gen 1 Sig 2009702)
> 
> The rule triggers, for example, with a source of 10.10.20.10 and a destination of 10.1.2.3
> 
> I can suppress this, but am mostly wondering if anyone has any insight into why the VPN is not being considered part of HOMENET.
> 
> Thanks,
> Sam
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list