Re: Question about !HOME_NET

[Joel Esler <joel.esler () sourcefire com>]

Heh.  Thanks Shirky..

<shameless plug>
Sounds like you need RNA. http://www.sourcefire.com/products/rna.html  
The reason that Sourcefire invented RNA was to solve one of the  
problems you are facing -- rogue devices on your network.  It is  
possible to discover devices that are not 'yours' on your network,  
however, once a machine picks up a dhcp address on your network  
(humor me if you don't have dhcp), how can you tell the difference  
between a real (authorized device) and a non-authorized device?  No  
Snort rule you write will help you find them.  Therein lies one of  
the fundamental problems of today's networks, no contextual  
alerting,  no idea what is on the network, and finally, no compliance  
(which, really, isn't that what we are discussing here?).

Which is why Sourcefire invented RNA.
</shameless plug>

On the other hand, it might help if you called your snort.conf via  
the command line using the -c tag.  :)

Joel


On Oct 11, 2006, at 11:15 AM, M. Shirk wrote:

> Well Snort can help detect such traffic, but you have a problem  
> with your
> security policy and procedures if people are just showing up and  
> jacking
> into the wall and having full access to the network (where is your
> addresss???? ) :-)
>
> Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?
>
> And why are you using ALL of the private addresses? you should be  
> using a
> variable that is something like
>
> var HOME_NET [10.111.0.0/16]
> var EVIL_NET !$HOME_NET
>
>
> More then likely, an on internal network, your sig will fire on  
> every packet
> :-)
>
> Ok finchy, your turn.
>
> Shirkdog
> http://www.shirkdog.us
>
>
>
>
> > From: "Nick Baronian" <kvetch () gmail com>
> > To: "snort-users () lists sourceforge net" <snort- 
> > users () lists sourceforge net>
> > Subject: [Snort-users] Question about !HOME_NET
> > Date: Wed, 11 Oct 2006 10:47:00 -0400
> >
> > I am trying to setup a simple rule but it doesn't appear to be
> > working. We have has some issues with people plugging in their  
> > laptops
> > to our corp. network. Some of these folks have static addresses and
> > try to send some traffic outbound, while the traffic gets dropped  
> > at a
> > firewall I want to log and alert on any non Home_NET IP's trying  
> > to go
> > out. I thought it would be fairly easy just set home_net to something
> > like
> > var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
> > [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
> > in snort.conf except local.rule.
> > In local rule set it to something like
> > alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
> > detected";)
> >
> > I then start snort like
> > snort -e -i eth1 -l /u01/snort -s -D &
> >
> > When I look at the log down /u01/snort it lists tons of IP's going
> > from an IP like 10.30 or 172.x.x.x going to some random IP.  How do I
> > get my rules to only log the packets for non-Home_Net IP's trying to
> > talk to other non-Home_Net IP's?
> >
> > Thanks,
> > Nick
> >
> > --------------------------------------------------------------------- 
> > ----
> > Using Tomcat but need to do more? Need to support web services,  
> > security?
> > Get stuff done quickly with pre-integrated technology to make your  
> > job
> > easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> > Geronimo
> > http://sel.as-us.falkag.net/sel? 
> > cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _________________________________________________________________
> Be seen and heard with Windows Live Messenger and Microsoft LifeCams
> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/? 
> href=http://www.microsoft.com/hardware/digitalcommunication/ 
> default.mspx?locale=en-us&source=hmtagline
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
        Snort - Open Source Network IPS/IDS -- http://www.snort.org
          gpg key: http://demo.sourcefire.com/jesler.pgp.key
            aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users