Snort mailing list archives
RE: Direction detection with mac address filtering
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 10 Feb 2003 11:40:15 -0600
In my more complex networks, I'm finding that it is more convenient to combine the content parsing features of snort with the more effecient weeding-out features of BPF, on which snort is built. So, for example, in your example below, if you were interested only in the traffic that was going from router A to router B, you'd start a snort process with a BPF at the end something like: ether src host 00:20:af:11:1e:2c and ether dst host 00:04:ee:ca:bf:ed Then, inside your snort.conf, all of your rules would only apply to the traffic that had already been passed through that filter. If you run on a BSD box, this also helps performance, since BPF in BSD runs in kernel space rather than user space. Since snort currently has no way of specifying packets based on MAC address, this is the only way to do it, but if you've got a big network and want to simplify your rules, you can also break out each subnet in a BPF and run one snort process per subnet. For example, if you've got the networks 10.0.1.0, 10.0.2.0, and 10.0.3.0 (each mask 24 bits long), you could run a process for each with a BPF set something like: net 10.0.1.0/24 and then set up your $HOME_NET for that specific network. As a bonus, once you've gone through and split out each of those three, you can run a fourth process with the BPF of: "!(net 10.0.1.0/24 or net 10.0.2.0/24 or net 10.0.3.0/24)" and then have a single rule that alerts on any packet that passes the rule. I've had better luck finding trouble-makers out of my "Traffic on Unexpected Network" rule than on almost any other, since it finds things like people hooking up unauthorized and poorly-configured Internet connections and end-users installing software they shouldn't. In the end, I've found that I could monitor more traffic (~40mbps sustained) on a single box by breaking the processes up via BPF than I could with a single, monolithic process. Even with 11 seperate processes running, each with between 800-900 rules, the box is typically only running 45% utilized on CPU (dual 1 ghz PIII, 1GB RAM). Since snort isn't threaded, the monolithic process consumes one CPU entirely and leaves the other untouched. Jon -----Original Message----- From: Martin Olsson [mailto:elof () sentor se] Sent: Monday, February 10, 2003 10:19 AM To: snort-users mailinglist Subject: [Snort-users] Direction detection with mac address filtering Hi all! I just came up with an idea that I think would be nice if it was integrated into snort. Please give comments. One big problem for many people is monitoring several different home networks. Stating just one net in $HOME_NET is ok. A list of two or three networks might work too, but when you have 20 different networks you are forced to set $HOME_NET to "any". This implies that $EXTERNAL_NET will also be set to "any". All logged alerts will then be based on an "any to any"-criteria, which mean that you manually have to determine wether the alert originated from the intranet or from some external address. If one could specify variables as $EXTERNAL_MAC, $HOME_MAC, $DMZ1_MAC, $DMZ2_MAC, etc, and use them to filter packets based on their source and destination MAC-address, then in effect we could detect the direction of a single packet or a flow even in the "any to any"-criteria. I guess you would have to add two new fields to all rules, src-mac and dst-mac: type proto src-mac dst-mac src-ip port dst-ip port ------------------------------------------------------------------------ alert udp any -> $EXTERNAL_MAC $HOME_NET any -> $EXTERNAL_NET 53 ... This rule evaluates into: alert udp any -> 001122334455 any any -> any 53 ... This rule would only trigger on packets going *out*... Is this possible? Is it useful enough for the developers to implement it? /Martin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Direction detection with mac address filtering Martin Olsson (Feb 10)
- <Possible follow-ups>
- RE: Direction detection with mac address filtering Williams Jon (Feb 11)
- RE: Direction detection with mac address filtering Erek Adams (Feb 11)