Snort Package HOME_NET - Your opinion on its automatic generation

priller

Just to verify …  Would HOME_NET also capture the IPv6 LAN address??   Specifically, DHCP-PD assigned addressing from the ISP.

Thanks

carboncopy

In terms of UI, it seems like it would be ideal to define your networks in the same area in Snort where you define/config your interfaces.  This field could have the option to point to the Whitelist or Alias list, similar to the way we do it today for firewall rules.  In addition, you could make it a free form for the "admin" to define the networks they wish to monitor.  Again, this is more of a UI recommendation.

bmeeks

@priller:

Just to verify …  Would HOME_NET also capture the IPv6 LAN address??   Specifically, DHCP-PD assigned addressing from the ISP.

Thanks

Yes, any IPv6 addresses associated with a given interface would be captured as well.

Bill

bmeeks

@carboncopy:

In terms of UI, it seems like it would be ideal to define your networks in the same area in Snort where you define/config your interfaces.  This field could have the option to point to the Whitelist or Alias list, similar to the way we do it today for firewall rules.  In addition, you could make it a free form for the "admin" to define the networks they wish to monitor.  Again, this is more of a UI recommendation.

The paradigm the pfSense Core Team prefers is to use Aliases and move away from direct entry of IP addresses all over the place.  The idea is Aliases drive some measure of consistency and also make edits in the future much easier.  I agree with this approach as well.  I know some folks want to just have an open text field and type in addresses or networks directly, but long-term this can become unwieldy.  I regularly use Check Point at work, and they enforce the same paradigm.  They call them Objects instead of Aliases, but the idea is the same.  You create an Object for a host, a network or a group; and then you use that Object in all the rules.  Using Objects in Check Point or Aliases in pfSense makes it easy when you need to change something in the future.  For example, assume you change the subnet mask on a network.  If you have direct-typed that network into a half-dozen places such as a few whitelists, HOME_NET and several firewall rules, then you have a lot of edits to make and can easily miss one.  On the other hand, using a Alias means just one edit on one screen and your change is propagated everywhere.

So a long explanation to say I'm not in favor of allowing direct text edits on all the Snort screens.  I prefer to endorse the use of Aliases for this purpose.  Once you become accustomed to using them, they really are a great thing.

Bill

Supermule

I like this. But WAN VIP is important to have in my view as HOME NET!

bmeeks

@Supermule:

I like this. But WAN VIP is important to have in my view as HOME NET!

It should get picked up in the list of other VIPs and be included.  I will send you a copy to test via e-mail.

Bill

carboncopy

@bmeeks:

@carboncopy:

In terms of UI, it seems like it would be ideal to define your networks in the same area in Snort where you define/config your interfaces.  This field could have the option to point to the Whitelist or Alias list, similar to the way we do it today for firewall rules.  In addition, you could make it a free form for the "admin" to define the networks they wish to monitor.  Again, this is more of a UI recommendation.

The paradigm the pfSense Core Team prefers is to use Aliases and move away from direct entry of IP addresses all over the place.  The idea is Aliases drive some measure of consistency and also make edits in the future much easier.  I agree with this approach as well.  I know some folks want to just have an open text field and type in addresses or networks directly, but long-term this can become unwieldy.  I regularly use Check Point at work, and they enforce the same paradigm.  They call them Objects instead of Aliases, but the idea is the same.  You create an Object for a host, a network or a group; and then you use that Object in all the rules.  Using Objects in Check Point or Aliases in pfSense makes it easy when you need to change something in the future.  For example, assume you change the subnet mask on a network.  If you have direct-typed that network into a half-dozen places such as a few whitelists, HOME_NET and several firewall rules, then you have a lot of edits to make and can easily miss one.  On the other hand, using a Alias means just one edit on one screen and your change is propagated everywhere.

So a long explanation to say I'm not in favor of allowing direct text edits on all the Snort screens.  I prefer to endorse the use of Aliases for this purpose.  Once you become accustomed to using them, they really are a great thing.

Bill

Right and I don't disagree with that approach.  I've used many firewalls over the years and I also prefer using "aliases" (going all the way back to before PF days with ipfilter) as it is a cleaner method.

bmeeks

@carboncopy:

Right and I don't disagree with that approach.  I've used many firewalls over the years and I also prefer using "aliases" (going all the way back to before PF days with ipfilter) as it is a cleaner method.

I have put three new View buttons on the If Settings tab where you configure a Snort interface (the tab where you choose whether to enable blocking of offenders, the Search Performance profile, whitelist, etc.).  These new buttons let you click and see the current contents of the chosen HOME_NET, Whitelist and Suppression List selected in the associated dropdown box.  I have those new buttons working now in my prototype code.  They should come out with the 2.5.8 package.  They open the same style pop-up window as the new View Rules Update Log window.

So on the screen where you do the HOME_NET and Whitelist selection, you will have a quick way to view the contents of your choice.  If a user needs to do something really fancy or outside the box, then the Alias choice under the Firewall menu is where to start.  Once the Alias is defined, then it can be chosen for the HOME_NET or whitelist.

Bill

carboncopy

@bmeeks:

@carboncopy:

Right and I don't disagree with that approach.  I've used many firewalls over the years and I also prefer using "aliases" (going all the way back to before PF days with ipfilter) as it is a cleaner method.

I have put three new View buttons on the If Settings tab where you configure a Snort interface (the tab where you choose whether to enable blocking of offenders, the Search Performance profile, whitelist, etc.).  These new buttons let you click and see the current contents of the chosen HOME_NET, Whitelist and Suppression List selected in the associated dropdown box.  I have those new buttons working now in my prototype code.  They should come out with the 2.5.8 package.  They open the same style pop-up window as the new View Rules Update Log window.

So on the screen where you do the HOME_NET and Whitelist selection, you will have a quick way to view the contents of your choice.  If a user needs to do something really fancy or outside the box, then the Alias choice under the Firewall menu is where to start.  Once the Alias is defined, then it can be chosen for the HOME_NET or whitelist.

Bill

Very cool! I am looking forward to trying that out!!

gogol

@carboncopy:

Very cool! I am looking forward to trying that out!!

I second that! :)

slagr

Is there any reason why alias with URL type could not be used in snort  whitelists ?

bmeeks

@slagr:

Is there any reason why alias with URL type could not be used in snort  whitelists ?

Well, at the moment the Snort code is only expecting hosts or networks.  I can look at including URLs in the update I'm working on.

Bill