Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Direction detection with mac address filtering

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 10 Feb 2003 11:40:15 -0600
In my more complex networks, I'm finding that it is more convenient to
combine the content parsing features of snort with the more effecient
weeding-out features of BPF, on which snort is built.

So, for example, in your example below, if you were interested only in the
traffic that was going from router A to router B, you'd start a snort
process with a BPF at the end something like:

ether src host 00:20:af:11:1e:2c and ether dst host 00:04:ee:ca:bf:ed

Then, inside your snort.conf, all of your rules would only apply to the
traffic that had already been passed through that filter.  If you run on a
BSD box, this also helps performance, since BPF in BSD runs in kernel space
rather than user space.

Since snort currently has no way of specifying packets based on MAC address,
this is the only way to do it, but if you've got a big network and want to
simplify your rules, you can also break out each subnet in a BPF and run one
snort process per subnet.  For example, if you've got the networks 10.0.1.0,
10.0.2.0, and 10.0.3.0 (each mask 24 bits long), you could run a process for
each with a BPF set something like:

net 10.0.1.0/24

and then set up your $HOME_NET for that specific network.  As a bonus, once
you've gone through and split out each of those three, you can run a fourth
process with the BPF of:

"!(net 10.0.1.0/24 or net 10.0.2.0/24 or net 10.0.3.0/24)"

and then have a single rule that alerts on any packet that passes the rule.
I've had better luck finding trouble-makers out of my "Traffic on Unexpected
Network" rule than on almost any other, since it finds things like people
hooking up unauthorized and poorly-configured Internet connections and
end-users installing software they shouldn't.

In the end, I've found that I could monitor more traffic (~40mbps sustained)
on a single box by breaking the processes up via BPF than I could with a
single, monolithic process.  Even with 11 seperate processes running, each
with between 800-900 rules, the box is typically only running 45% utilized
on CPU (dual 1 ghz PIII, 1GB RAM).  Since snort isn't threaded, the
monolithic process consumes one CPU entirely and leaves the other untouched.

Jon

-----Original Message-----
From: Martin Olsson [mailto:elof () sentor se]
Sent: Monday, February 10, 2003 10:19 AM
To: snort-users mailinglist
Subject: [Snort-users] Direction detection with mac address filtering



Hi all!

I just came up with an idea that I think would be nice if it was
integrated into snort. Please give comments.

One big problem for many people is monitoring several different home
networks. Stating just one net in $HOME_NET is ok. A list of two or
three networks might work too, but when you have 20 different networks you
are forced to set $HOME_NET to "any". This implies that $EXTERNAL_NET will
also be set to "any". All logged alerts will then be based on an "any to
any"-criteria, which mean that you manually have to determine wether the
alert originated from the intranet or from some external address.

If one could specify variables as $EXTERNAL_MAC, $HOME_MAC, $DMZ1_MAC,
$DMZ2_MAC, etc, and use them to filter packets based on their
source and destination MAC-address, then in effect we could detect the
direction of a single packet or a flow even in the "any to any"-criteria.

I guess you would have to add two new fields to all rules, src-mac and
dst-mac:

type  proto src-mac dst-mac       src-ip    port   dst-ip        port
------------------------------------------------------------------------
alert udp   any  -> $EXTERNAL_MAC $HOME_NET any -> $EXTERNAL_NET 53  ...

This rule evaluates into:
alert udp   any  -> 001122334455  any       any -> any           53  ...

This rule would only trigger on packets going *out*...

Is this possible? Is it useful enough for the developers to implement it?

/Martin



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: