Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and subnet

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vehpbkrby
      last edited by

      Hi! I need help!
      I snort it determines not fully network structure. I want to add a subnet in Home Net. How do I do it ?
      See  Attachments

      At lan I have a few subnets . In the logic of the software , they will be in the External Net.
      Look
      LAN NET:
      IP WAN
      GW WAN
      DNS WAN
      and 192.168.1.0/24

      BUT i have some statics route to 192.168.3.0/24 and 192.168.4.0/24. This subnet will be need at External Net because:
      External net = !Lan Net

      With them i cannot deny skype from 192.168.3.0/24

      Help me please!

      snort.JPG
      snort.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

        1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

        2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

        3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

        4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

        5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

        Bill

        1 Reply Last reply Reply Quote 0
        • V
          vehpbkrby
          last edited by

          @bmeeks:

          The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

          1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

          2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

          3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

          4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

          5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

          Bill

          Thanks! I do that you wroute but it didnt work.
          I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
          81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

          I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
          1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
          1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
          1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
          1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

          Then, i make aliases:
          192.168.1.0/24
          192.168.0.0/24

          Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
          Save.
          Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
          Lan of PFSense have ip=192.168.1.18
          My ip = 192.168.0.46

          Put "view list" of home net and i see:
          WAN IP
          WAN IP  2
          127.0.0.1
          192.168.0.0/24
          192.168.1.0/24
          ::1
          IPV6 Addres
          IPV6 Addres
          IPV6 Addres

          Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
          1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
          1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
          1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
          1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

          RESTART WAN ETH!

          Go skype by my PC(192.168.0.46). Open Alert and there no any information…

          What me to do!? Help Please

          snort.JPG
          snort.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @vehpbkrby:

            @bmeeks:

            The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

            1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

            2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

            3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

            4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

            5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

            Bill

            Thanks! I do that you wroute but it didnt work.
            I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
            81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

            I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
            1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
            1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
            1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
            1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

            Then, i make aliases:
            192.168.1.0/24
            192.168.0.0/24

            Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
            Save.
            Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
            Lan of PFSense have ip=192.168.1.18
            My ip = 192.168.0.46

            Put "view list" of home net and i see:
            WAN IP
            WAN IP  2
            127.0.0.1
            192.168.0.0/24
            192.168.1.0/24
            ::1
            IPV6 Addres
            IPV6 Addres
            IPV6 Addres

            Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
            1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
            1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
            1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
            1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

            RESTART WAN ETH!

            Go skype by my PC(192.168.0.46). Open Alert and there no any information…

            What me to do!? Help Please

            I may be misunderstanding what you want, but it seems to me that you do not need to customize anything to achieve the blocks you desire.  You simply need to run Snort with "block offenders" enabled and let HOME_NET and EXTERNAL_NET use the default settings.  If you want to see the IP addresses of hosts on your LAN (that is, you want to see their 192.168.x.x addresses in the alerts), then you will need to run Snort on the LAN interface instead of the WAN.  This is because Snort sees traffic before the inbound NAT rules are applied.  This means when run on the WAN, all Snort will ever see is the post-NAT outbound IP address of your internal hosts (which is of course your WAN IP).

            Another tip about the Snort GPL Community Rules:  by default the vast majority of them are default disabled.  So simply checking the box to use GPL Community Rules is usually not enough.  You must go to the RULES tab, select that group of rules, then make sure all the ones you want are actually enabled.  If they display as a gray text, they are default disabled.  Hover over the icon on the far left next to each rule and the pop-up tool tip will tell you if the rule needs to be enabled or not.

            Bill

            1 Reply Last reply Reply Quote 0
            • V
              vehpbkrby
              last edited by

              @bmeeks:

              @vehpbkrby:

              @bmeeks:

              The instructions in the hint are sort of incomplete.  Probably need to fix that up a bit.  Here is what you need to do when customizing either HOME_NET or EXTERNAL_NET in Snort or Suricata –

              1. Create an Alias under FIREWALL > ALIASES and include the networks and/or IP addresses you want to customize.  If you want specific addresses or networks in say HOME_NET that would not be in the default selection, add those to the alias.

              2. Go to the PASS LIST tab and create a new Pass List.  Give it a meaningful name.

              3. By default the list will contain all the locally-attached networks, the firewall's interface addresses, the DNS server(s) and the default gateway.  You can leave these checked, or you can uncheck one or more of them to remove locally-attached networks, DNS server(s) or the gateway.

              4. In the ADDRESS field of the Pass List, select the Alias you created in step 1.  Save the new Pass List.

              5. Now go to the INTERFACE SETTINGS tab for the Snort interface you want to customize.  Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List you just created.  Save the change and then restart Snort on the interface.

              Bill

              Thanks! I do that you wroute but it didnt work.
              I cheked many rules,but snort dont alert. snort see only trafics from wan. For example:
              81.222.128.22 80 MY_IP  55176 120:3  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

              I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
              1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
              1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
              1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
              1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

              Then, i make aliases:
              192.168.1.0/24
              192.168.0.0/24

              Make pass list, add my alias, uncheck all chekbox to remove locally-attached networks. - see Attachments
              Save.
              Locate the HOME_NET or EXTERNAL_NET drop-down as appropriate and select the Pass List I created
              Lan of PFSense have ip=192.168.1.18
              My ip = 192.168.0.46

              Put "view list" of home net and i see:
              WAN IP
              WAN IP  2
              127.0.0.1
              192.168.0.0/24
              192.168.1.0/24
              ::1
              IPV6 Addres
              IPV6 Addres
              IPV6 Addres

              Then i enable Snort GPLv2 Community Rules (VRT certified) and I wated block skype trafics. Enable snort_pua-p2p.rules ->Enable
              1 5694 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client setup get newest version attempt
              1 5693 tcp $HOME_NET any $EXTERNAL_NET $HTTP_PORTS PUA-P2P Skype client start up get latest version attempt
              1 5999 tcp $EXTERNAL_NET any $HOME_NET any PUA-P2P Skype client login
              1 5998 tcp $HOME_NET any $EXTERNAL_NET any PUA-P2P Skype client login startup

              RESTART WAN ETH!

              Go skype by my PC(192.168.0.46). Open Alert and there no any information…

              What me to do!? Help Please

              I may be misunderstanding what you want, but it seems to me that you do not need to customize anything to achieve the blocks you desire.  You simply need to run Snort with "block offenders" enabled and let HOME_NET and EXTERNAL_NET use the default settings.  If you want to see the IP addresses of hosts on your LAN (that is, you want to see their 192.168.x.x addresses in the alerts), then you will need to run Snort on the LAN interface instead of the WAN.  This is because Snort sees traffic before the inbound NAT rules are applied.  This means when run on the WAN, all Snort will ever see is the post-NAT outbound IP address of your internal hosts (which is of course your WAN IP).

              Another tip about the Snort GPL Community Rules:  by default the vast majority of them are default disabled.  So simply checking the box to use GPL Community Rules is usually not enough.  You must go to the RULES tab, select that group of rules, then make sure all the ones you want are actually enabled.  If they display as a gray text, they are default disabled.  Hover over the icon on the far left next to each rule and the pop-up tool tip will tell you if the rule needs to be enabled or not.

              Bill

              Thank you for your help! But I do not operate your suggestions.

              See.
              I have a few local subnet.
              192,168,0,0 \ 24
              192,168,1,0 \ 24
              192,168,2,0 \ 24
              192,168,3,0 \ 24

              Pfsense has 2 interfaces (WAN, LAN) and NAT. LAN = 192.168.1.18, gateway = 192.168.1.30 (subnet 192.168.1.0/24)
              If I use the default settings home and external network is:
              All computers that have Adresse 192.168.1.0/24 subnet can not use Skype. But those computers that have the addresses of the other subnets, such as my computer is 192.168.0.46 address they are using Skype - it is not blocked!

              How do I set up what would snort could block Skype from all the local subnet range

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @vehpbkrby:

                Thank you for your help! But I do not operate your suggestions.

                See.
                I have a few local subnet.
                192,168,0,0 \ 24
                192,168,1,0 \ 24
                192,168,2,0 \ 24
                192,168,3,0 \ 24

                Pfsense has 2 interfaces (WAN, LAN) and NAT. LAN = 192.168.1.18, gateway = 192.168.1.30 (subnet 192.168.1.0/24)
                If I use the default settings home and external network is:
                All computers that have Adresse 192.168.1.0/24 subnet can not use Skype. But those computers that have the addresses of the other subnets, such as my computer is 192.168.0.46 address they are using Skype - it is not blocked!

                How do I set up what would snort could block Skype from all the local subnet range

                Oh, I see.  You have some other subnets behind the pfSense firewall that are not locally attached.  In that case you need to add just those specific networks to HOME_NET along with the default values.  Try this –

                1. Create an Alias called ExpandedHomeNet or something else that is appropriate in your view.

                2. Add these networks to the new alias:  192.168.0.0/24, 192.168.2.0/24 and 192.168.3.0/24

                3. Create a Pass List on the PASS LIST tab and give it a name similar to CustomHomeNet or something.  Leave all the checkboxes enabled (checked) on the Pass List Edit page. In the Address field, enter the name of the alias created in step 1.  Save the new list.

                4. Go to the INTERFACES SETTINGS tab for the interface in Snort and in the Home Net drop-down, select the list created above.

                5. Click the View List button beside the control and verify the list contains your WAN IP, DNS IP, the 192.168.1.0/24 network, all three of the networks added to the alias and your default gateway IP.

                6. Save the changes and restart Snort on the interface.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.