Snort and subnet



  • Hi! I need help!
    I snort it determines not fully network structure. I want to add a subnet in Home Net. How do I do it ?
    See  Attachments

    At lan I have a few subnets . In the logic of the software , they will be in the External Net.
    Look
    LAN NET:
    IP WAN
    GW WAN
    DNS WAN
    and 192.168.1.0/24

    BUT i have some statics route to 192.168.3.0/24 and 192.168.4.0/24. This subnet will be need at External Net because:
    External net = !Lan Net

    With them i cannot deny skype from 192.168.3.0/24

    Help me please!




  • The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

    1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

    2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

    3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

    4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

    5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

    Bill



  • @bmeeks:

    The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

    1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

    2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

    3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

    4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

    5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

    Bill

    Thanks! I do that you wroute but it didnt work.
    I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
    81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    Then, i make aliases:
    192.168.1.0/24
    192.168.0.0/24

    Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
    Save.
    Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
    Lan of PFSense have ip=192.168.1.18
    My ip = 192.168.0.46

    Put "view list" of home net and i see:
    WAN IP
    WAN IP  2
    127.0.0.1
    192.168.0.0/24
    192.168.1.0/24
    ::1
    IPV6 Addres
    IPV6 Addres
    IPV6 Addres

    Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    RESTART WAN ETH!

    Go skype by my PC(192.168.0.46). Open Alert and there no any information…

    What me to do!? Help Please




  • @vehpbkrby:

    @bmeeks:

    The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

    1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

    2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

    3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

    4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

    5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

    Bill

    Thanks! I do that you wroute but it didnt work.
    I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
    81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    Then, i make aliases:
    192.168.1.0/24
    192.168.0.0/24

    Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
    Save.
    Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
    Lan of PFSense have ip=192.168.1.18
    My ip = 192.168.0.46

    Put "view list" of home net and i see:
    WAN IP
    WAN IP  2
    127.0.0.1
    192.168.0.0/24
    192.168.1.0/24
    ::1
    IPV6 Addres
    IPV6 Addres
    IPV6 Addres

    Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    RESTART WAN ETH!

    Go skype by my PC(192.168.0.46). Open Alert and there no any information…

    What me to do!? Help Please

    I may be misunderstanding what you want, but it seems to me that you do not need to customize anything to achieve the blocks you desire.  You simply need to run Snort with "block offenders" enabled and let HOME_NET and EXTERNAL_NET use the default settings.  If you want to see the IP addresses of hosts on your LAN (that is, you want to see their 192.168.x.x addresses in the alerts), then you will need to run Snort on the LAN interface instead of the WAN.  This is because Snort sees traffic before the inbound NAT rules are applied.  This means when run on the WAN, all Snort will ever see is the post-NAT outbound IP address of your internal hosts (which is of course your WAN IP).

    Another tip about the Snort GPL Community Rules:  by default the vast majority of them are default disabled.  So simply checking the box to use GPL Community Rules is usually not enough.  You must go to the RULES tab, select that group of rules, then make sure all the ones you want are actually enabled.  If they display as a gray text, they are default disabled.  Hover over the icon on the far left next to each rule and the pop-up tool tip will tell you if the rule needs to be enabled or not.

    Bill



  • @bmeeks:

    @vehpbkrby:

    @bmeeks:

    The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

    1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

    2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

    3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

    4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

    5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

    Bill

    Thanks! I do that you wroute but it didnt work.
    I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
    81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    Then, i make aliases:
    192.168.1.0/24
    192.168.0.0/24

    Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
    Save.
    Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
    Lan of PFSense have ip=192.168.1.18
    My ip = 192.168.0.46

    Put "view list" of home net and i see:
    WAN IP
    WAN IP  2
    127.0.0.1
    192.168.0.0/24
    192.168.1.0/24
    ::1
    IPV6 Addres
    IPV6 Addres
    IPV6 Addres

    Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
    1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
    1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
    1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
    1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

    RESTART WAN ETH!

    Go skype by my PC(192.168.0.46). Open Alert and there no any information…

    What me to do!? Help Please

    I may be misunderstanding what you want, but it seems to me that you do not need to customize anything to achieve the blocks you desire.  You simply need to run Snort with "block offenders" enabled and let HOME_NET and EXTERNAL_NET use the default settings.  If you want to see the IP addresses of hosts on your LAN (that is, you want to see their 192.168.x.x addresses in the alerts), then you will need to run Snort on the LAN interface instead of the WAN.  This is because Snort sees traffic before the inbound NAT rules are applied.  This means when run on the WAN, all Snort will ever see is the post-NAT outbound IP address of your internal hosts (which is of course your WAN IP).

    Another tip about the Snort GPL Community Rules:  by default the vast majority of them are default disabled.  So simply checking the box to use GPL Community Rules is usually not enough.  You must go to the RULES tab, select that group of rules, then make sure all the ones you want are actually enabled.  If they display as a gray text, they are default disabled.  Hover over the icon on the far left next to each rule and the pop-up tool tip will tell you if the rule needs to be enabled or not.

    Bill

    Thank you for your help! But I do not operate your suggestions.

    See.
    I have a few local subnet.
    192,168,0,0 \ 24
    192,168,1,0 \ 24
    192,168,2,0 \ 24
    192,168,3,0 \ 24

    Pfsense has 2 interfaces (WAN, LAN) and NAT. LAN = 192.168.1.18, gateway = 192.168.1.30 (subnet 192.168.1.0/24)
    If I use the default settings home and external network is:
    All computers that have Adresse 192.168.1.0/24 subnet can not use Skype. But those computers that have the addresses of the other subnets, such as my computer is 192.168.0.46 address they are using Skype - it is not blocked!

    How do I set up what would snort could block Skype from all the local subnet range



  • @vehpbkrby:

    Thank you for your help! But I do not operate your suggestions.

    See.
    I have a few local subnet.
    192,168,0,0 \ 24
    192,168,1,0 \ 24
    192,168,2,0 \ 24
    192,168,3,0 \ 24

    Pfsense has 2 interfaces (WAN, LAN) and NAT. LAN = 192.168.1.18, gateway = 192.168.1.30 (subnet 192.168.1.0/24)
    If I use the default settings home and external network is:
    All computers that have Adresse 192.168.1.0/24 subnet can not use Skype. But those computers that have the addresses of the other subnets, such as my computer is 192.168.0.46 address they are using Skype - it is not blocked!

    How do I set up what would snort could block Skype from all the local subnet range

    Oh, I see.  You have some other subnets behind the pfSense firewall that are not locally attached.  In that case you need to add just those specific networks to HOME_NET along with the default values.  Try this –

    1. Create an Alias called ExpandedHomeNet or something else that is appropriate in your view.

    2. Add these networks to the new alias:  192.168.0.0/24, 192.168.2.0/24 and 192.168.3.0/24

    3. Create a Pass List on the PASS LIST tab and give it a name similar to CustomHomeNet or something.  Leave all the checkboxes enabled (checked) on the Pass List Edit page. In the Address field, enter the name of the alias created in step 1.  Save the new list.

    4. Go to the INTERFACES SETTINGS tab for the interface in Snort and in the Home Net drop-down, select the list created above.

    5. Click the View List button beside the control and verify the list contains your WAN IP, DNS IP, the 192.168.1.0/24 network, all three of the networks added to the alias and your default gateway IP.

    6. Save the changes and restart Snort on the interface.

    Bill