Snort mailing list archives
Re: Question about !HOME_NET
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 11 Oct 2006 11:51:46 -0400
Heh. Thanks Shirky.. <shameless plug> Sounds like you need RNA. http://www.sourcefire.com/products/rna.html The reason that Sourcefire invented RNA was to solve one of the problems you are facing -- rogue devices on your network. It is possible to discover devices that are not 'yours' on your network, however, once a machine picks up a dhcp address on your network (humor me if you don't have dhcp), how can you tell the difference between a real (authorized device) and a non-authorized device? No Snort rule you write will help you find them. Therein lies one of the fundamental problems of today's networks, no contextual alerting, no idea what is on the network, and finally, no compliance (which, really, isn't that what we are discussing here?). Which is why Sourcefire invented RNA. </shameless plug> On the other hand, it might help if you called your snort.conf via the command line using the -c tag. :) Joel On Oct 11, 2006, at 11:15 AM, M. Shirk wrote:
Well Snort can help detect such traffic, but you have a problem with your security policy and procedures if people are just showing up and jacking into the wall and having full access to the network (where is your addresss???? ) :-) Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf? And why are you using ALL of the private addresses? you should be using a variable that is something like var HOME_NET [10.111.0.0/16] var EVIL_NET !$HOME_NET More then likely, an on internal network, your sig will fire on every packet :-) Ok finchy, your turn. Shirkdog http://www.shirkdog.usFrom: "Nick Baronian" <kvetch () gmail com> To: "snort-users () lists sourceforge net" <snort- users () lists sourceforge net> Subject: [Snort-users] Question about !HOME_NET Date: Wed, 11 Oct 2006 10:47:00 -0400 I am trying to setup a simple rule but it doesn't appear to be working. We have has some issues with people plugging in their laptops to our corp. network. Some of these folks have static addresses and try to send some traffic outbound, while the traffic gets dropped at a firewall I want to log and alert on any non Home_NET IP's trying to go out. I thought it would be fairly easy just set home_net to something like var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules in snort.conf except local.rule. In local rule set it to something like alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP detected";) I then start snort like snort -e -i eth1 -l /u01/snort -s -D & When I look at the log down /u01/snort it lists tons of IP's going from an IP like 10.30 or 172.x.x.x going to some random IP. How do I get my rules to only log the packets for non-Home_Net IP's trying to talk to other non-Home_Net IP's? Thanks, Nick --------------------------------------------------------------------- ---- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________________ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/? href=http://www.microsoft.com/hardware/digitalcommunication/ default.mspx?locale=en-us&source=hmtagline ---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET M. Shirk (Oct 11)
- Re: Question about !HOME_NET Joel Esler (Oct 11)
- Re: Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET Nick Baronian (Oct 11)
- Re: Question about !HOME_NET Todd Wease (Oct 11)
- Re: Question about !HOME_NET M. Shirk (Oct 11)