Snort.conf, $HOME_NET, and whitelist error
-
Running Snort 2.9.2.3 pkg v. 2.5.1
In trying to track down the possible source for the whitelist issue I am running into, a review of the code in snort_interfaces_whitelist_edit.php indicates that "is_alias" is checked immediate prior to the error I am seeing.
–-
if ($_POST['address'])
if (!is_alias($_POST['address']))
$input_errors[] = "A valid alias need to be provided";
–-The error in red is what I am getting when I try to edit/save an existing whitelist, or try to create and save a new one.
I can actually create and save a new whitelist with a blank listing of IP's or an entry of "0" in the address field. Other entries such as 192.168.0.1 generate an error.
A search of "snort.inc" shows "is_alias" checking the snort.conf file, and $HOME_NET is listed in the snort.conf.
For $HOME_NET - I was unable to see an obvious place to set this in the snort gui, so I edited the snort.conf file adding:
ipvar HOME_NET [192.168.0.1/24,192.168.0.2/24]
"snort.inc" contains code that looks like it builds the $HOME_NET variable from the interface subnets and that seems the logical approach, so changing the snort.conf file may be redundant (or counterproductive).
Should it be necessary to manual edit the snort.conf file, and if so, is the syntax in bold above syntax valid? What is the best way to check for the value of $HOME_NET?
I know that is probably a very basic question, but I'm looking for anything that might be triggering the whitelist update error I am seeing when I try to update or create a whitelist.
This error began when I updated to 2.5.1. My update process was: ensure the save setting box was checked within the snort gui; uninstall the package ("Remove this package" from the package manager gui); then install the new snort package. If a more thorough removal/reinstall process is recommended, details would be appreciated.
Suggestions are welcome.
Thanks!
-
Äh, cough, did you specify an alias under Firewall:Aliases and put its name in the address field in the whitelist?
Do not edit snort.conf manually. Just define another alias with subnets and put its name in the Home Net field in Snort:Interface Edit Home Net.
192.168.0.1/24 is exactly the same as 192.168.0.2/24. The CIDR 24 defines the masked bits in the subnet. So 192.168.0.0/24 matches every single IP in the 192.168.0.X subnet…Greets, Judex
-
Nope. Thanks for the pointer, that's why I asked :)
Under the previously running version (not sure what number that was), the IP's were entered on the whitelist page. Either that was wrong then, or the process changed. Will give the correct setup a try. Thanks again.
-
Yeah, it is a new feature and came silently, so I had exactly the same problems after upgraded installation. ::)