Snort in a home enviroment?
-
Hi!
I've been fooling around with snort, mainly for testing purposes and because I like to fool around with stuff I have absolutely no knowledge about :)
That being said, I've required a free oinkmaster code, using the community rules, and set it to 'connectivity'.
I thought this would be the lightest setting, but it turns out, it shuts me out from almost everything, which in itself is pretty cool! :D
My first problem arose with LogMeIn which I use to remote control my Windows PC. LogMeIn servers got blocked, so I had to scan through the logs, find their IPs, and whitelist them.
After that, the server IP to the webmail I use got blocked, so I had to whitelist that as well. Something about a HELO snort didn't like.If that wasn't enough, after installing a new NIC and doing a reboot snort even blocked my WAN-IP! I had no interwebs at all, so I had to whitelist my own IP as well…an IP that is bound to change in the near future...
Weird thing about this one was that my wan ip showed, but in the 'alert description' alot of russian known networks were listed. Also, my so far 600 blocked IPs disappeared entirely after the reboot.The above is fine though. Last night I was gonna game with a friend. We use a TS3-server which I host at home, and he could join fine, say a few words to me - and then he dropped. Turns out his IP got blocked as well.
I whitelisted him, all good. Then either steam or a gameserver got blacklisted as well and the in-game server browser wouldn't give the list of available game servers...At this point I had to turn off snort.
I understand that snort may be a more corporation-like-IDPS and maybe not intended in home/entertainment enviroments. But I want to learn and I find it very interesting to play with things like these...which is the main reason I use pfSense at all, when a random $50 router would suffice for my needs.
So how do I gain control over snort? I can't keep whitelisting stuff as they get blocked - just finding out all IPs/networks that need to be whitelisted is a pain, and I spent a few hours to find the LogMeIn and Google networks I needed to whitelist.
Can I even gain control over snort? If someone could give me a few hints, or point me in the right direction it would be very much appreciated!
Another thing I would like to put out there. As you can see, I'm not a very experienced user. But whenever I've asked for help, either here or in IRC people have been very kind and helpful. Even if my questions could have been simple/silly, noone has stepped on me, or making me feel dumb. For that, I'd like to thank the community, and whatever inidividuals who has hepled me out in the past. Thank you.
-
You might find this thread useful.
P.S. Your experience pretty much matches anyone else's when it comes to getting started with snort. I like to set up firewalls as "set it and forget it". Not babysit them 24/7. Snort is simply not for me and frankly I'd not recommend it to anyone unless for learning purposes.
-
Snort is more for a commercial environment with regards to the rules out there today. While you can certainly use it at home (I do), you must be prepared to do quite a bit of whitelisting and other tuning if you do anything on your network that is too much outside the mainstream of web, e-mail and simple stuff like that. The problem with blacklisting (which is what a number of Snort rules do) is that you inevitably vacuum up "good" IPs in the list of "bad" IPs. This is especially true when the blacklisted IP happens to be a hosting service or major Co-Lo center. One bad apple in the data center can get the whole IP block on many of the "bad" lists (just like e-mail with spammer blacklisting).
As for your issue with swapping NIC cards, that's expected unless the card is pretty much identical to the old one. Part of the "interface name" in the Snort configuration is derived from the driver ("em" for some Intel cards, "re" for Realtek, etc.). So if you changed NIC chipsets, Snort would no longer recognize your WAN interface correctly. You can simply delete the interface in Snort and then add it back to pick up the new NIC chipset name.
Bill
-
My approach (also in a home environment) is to judiciously hand-select individual rules. I find the ET ruleset quite useful.