Snort alias for HOME_NET still contains WAN



  • Hi,

    I set up Snort to watch my LAN side.  I created a firewall alias with my LAN subnets, created a Snort whitelist and picked the whitelist for the $HOME_NET dropdown on my LAN interface.  It looks good except I still have my WAN subnet listed under $HOME_NET when I click the View List button.  This $HOME_NET list is unique because if I view the Default $HOME_NET it lists the DNS server and a few other subnets that are not included in my firewall alias.

    This is an upgraded pfSense 2.0.1 to 2.1 32bit.  I uninstalled all packages prior to upgrading.  Snort was previously installed but never configured.

    Is there any way to keep the WAN subnet out of the $HOME_NET list so Snort will watch my LAN?

    Here is my created whitelist $HOME_NET View List button
    10.200.0.0/21                      (regular LAN)
    [WAN Starting IP]/29
    127.0.0.1
    172.16.2.1/32                        (OpenVPN)
    192.168.99.0/24                    (regular LAN)
    192.168.111.0/24                  (DMZ LAN)
    192.168.115.0/24                  (Imaging LAN)

    thanks



  • Did you remember to uncheck the box for "Add WAN interface IPs to the list"?

    Here is a screenshot with the checkbox outlined in red.




  • Thanks for you reply,

    I have them all unchecked.  I just tried toggling them on and off in different patterns and $HOME_NET changed each time but the WAN subnet is still there.  I made sure that Snort was shut down a couple of times to make sure it starts up clean and I ended up with the same results.

    This is really weird that the WAN subnet is automatically being added no matter what.

    To make more interesting, if I click on the LAN > WhiteList > View List button, the list is what is in my alias plus 127.0.0.1.  No WAN subnet.



  • @donpfsform:

    Thanks for you reply,

    I have them all unchecked.  I just tried toggling them on and off in different patterns and $HOME_NET changed each time but the WAN subnet is still there.  I made sure that Snort was shut down a couple of times to make sure it starts up clean and I ended up with the same results.

    This is really weird that the WAN subnet is automatically being added no matter what.

    To make more interesting, if I click on the LAN > WhiteList > View List button, the list is what is in my alias plus 127.0.0.1.  No WAN subnet.

    The interface IP is always added to the whitelist to insure the firewall itself is never blocked.  This keeps you from locking yourself out of the firewall.  So if you are looking at the WAN interface, you will always see that interface IP added to the whitelist.  You can selectively add or remove the WAN IP from any lists on other interfaces (meaning the non-WAN interfaces).

    If you have Snort enabled on your LAN interface, then it will monitor and block offending traffic traversing that interface.  What I do is select BOTH for the IPs to block on the LAN side.  Since your LAN IP is automatically whitelisted, it won't get blocked.  However, any "foreign address" that is the source or destination of traffic on your LAN will be blocked.  That is ultimately what you want.  All traffic will get logged, so you can still see if a LAN host is the source of bad traffic.

    Bill



  • Unfortunately using the LAN interface only logs minor ICMP and SNMP connections directly to the LAN interface.  It doesn't see outgoing connections to the internet.  The example that I'm testing with has a Java 1.6 client that I can see get logged on the WAN interface alerts when it goes to the internet but the LAN interface alerts don't show me anything about that connection.  ( ET POLICY Vulnerable Java Version 1.6.x Detected )

    Am I misunderstanding how Snort is suppose to work?  I want to monitor the LAN connection to the internet.  $HOME_NET -> $EXTERNAL_NET  Where $HOME_NET is my aliased whitelist.  Doesn't seem that complicated.

    thanks



  • @donpfsform:

    Unfortunately using the LAN interface only logs minor ICMP and SNMP connections directly to the LAN interface.  It doesn't see outgoing connections to the internet.  The example that I'm testing with has a Java 1.6 client that I can see get logged on the WAN interface alerts when it goes to the internet but the LAN interface alerts don't show me anything about that connection.  ( ET POLICY Vulnerable Java Version 1.6.x Detected )

    Am I misunderstanding how Snort is suppose to work?  I want to monitor the LAN connection to the internet.  $HOME_NET -> $EXTERNAL_NET  Where $HOME_NET is my aliased whitelist.  Doesn't seem that complicated.

    thanks

    I have my home firewall configured with Snort on the LAN and WAN, but running different rules on each interface.  On the WAN I run the ET CIARMY, ET_RBN and other IP-list type rules, while on the LAN side I run the Snort VRT Balanced policy.  I see alerts on any of my LAN IP addresses outbound.  I also see alerts on the WAN side when any of those ET_CIARMY addresses are encountered.  I run Snort this way so I can see which of my internal NAT'd hosts are doing things.

    Do you use NAT in your configuration?  It should not matter, but just wondering.  You should generally use the default $HOME_NET setting because that will correctly add any locally-attached subnets.  You generally do not need a custom $HOME_NET.  You can use a customized whitelist if there are particular known-frinendly external hosts that you do not want blocked.

    Bill



  • I am using NAT.  I removed all of my Snort interfaces and started over with a default LAN HOME_NET.  I get the same result as previously where the WAN will alert and the LAN doesn't see anything.

    Here are some examples that I want to catch on the LAN side as well as the WAN.
    –-----------------------------------------------
    WAN shows
    DATE      PROTO    CLASS                                                 SRC                      DST                      SID                DESCRIPTION
    10/10/13  TCP      Potential Corporate Privacy Violation    [WAN IP HERE]    108.160.163.40    1:2012647    ET POLICY Dropbox.com Offsite File Backup in Use

    LAN shows just a generic broadcast, it's not event at the same time of day:
    DATE      PROTO    CLASS                                                 SRC                    DST                        SID              DESCRIPTION
    10/10/13    UDP      Potential Corporate Privacy Violation    192.168.99.xx    255.255.255.255    1:2012648    ET POLICY Dropbox Client Broadcasting

    –-----------------------------------------------
    WAN shows
    DATE      PROTO    CLASS                                                 SRC                    DST                        SID              DESCRIPTION
    10/10/13  TCP      A Network Trojan was Detected            165.254.94.176    [WAN IP HERE]    1:2014473    SET INFO JAVA - Java Archive Download By Vulnerable Client

    LAN shows
    Nothing to match this
    –-----------------------------------------------

    So I'm out of ideas at this point as to why the LAN Snort interface isn't detect anything useful.
    thanks



  • @donpfsform:

    I am using NAT.  I removed all of my Snort interfaces and started over with a default LAN HOME_NET.  I get the same result as previously where the WAN will alert and the LAN doesn't see anything.

    Here are some examples that I want to catch on the LAN side as well as the WAN.
    –-----------------------------------------------
    WAN shows
    DATE      PROTO    CLASS                                                 SRC                      DST                      SID                DESCRIPTION
    10/10/13  TCP      Potential Corporate Privacy Violation    [WAN IP HERE]    108.160.163.40    1:2012647    ET POLICY Dropbox.com Offsite File Backup in Use

    LAN shows just a generic broadcast, it's not event at the same time of day:
    DATE      PROTO    CLASS                                                 SRC                    DST                        SID              DESCRIPTION
    10/10/13    UDP      Potential Corporate Privacy Violation    192.168.99.xx    255.255.255.255    1:2012648    ET POLICY Dropbox Client Broadcasting

    –-----------------------------------------------
    WAN shows
    DATE      PROTO    CLASS                                                 SRC                    DST                        SID              DESCRIPTION
    10/10/13  TCP      A Network Trojan was Detected            165.254.94.176    [WAN IP HERE]    1:2014473    SET INFO JAVA - Java Archive Download By Vulnerable Client

    LAN shows
    Nothing to match this
    –-----------------------------------------------

    So I'm out of ideas at this point as to why the LAN Snort interface isn't detect anything useful.
    thanks

    Forgive me if this sounds like a dumb question – and I don't mean to insult your intelligence .. :) -- but do you have exactly the same sets of rules configured and enabled on both the LAN and WAN interfaces?  Each interface has its own set of rules that must be configured.

    Bill



  • At this point, I'll take ANY ideas as long as this works in the end.

    All GPL and ET rules are turned on for the WAN.  The LAN has everything on except for emerging-icmp_info.rules because an internal monitor keeps pinging it and I didn't want the noise for now.  I set up my DMZ pfSense also to see if this behavior is at lease on more than one machine.

    When I look the Snort examples for configuring the LAN side on Linux, they do not include the WAN in HOME_NET.  It makes sense as the LAN side would then be the last HOME_NET interface for the packet to leave and so should be checked at that point.

    thanks



  • @donpfsform:

    At this point, I'll take ANY ideas as long as this works in the end.

    All GPL and ET rules are turned on for the WAN.  The LAN has everything on except for emerging-icmp_info.rules because an internal monitor keeps pinging it and I didn't want the noise for now.  I set up my DMZ pfSense also to see if this behavior is at lease on more than one machine.

    When I look the Snort examples for configuring the LAN side on Linux, they do not include the WAN in HOME_NET.  It makes sense as the LAN side would then be the last HOME_NET interface for the packet to leave and so should be checked at that point.

    thanks

    My home network firewall has three active interfaces (WAN, LAN and DMZ).  I have a Snort instance running on each interface (more for testing than anything else).  My $HOME_NET setting for each Interface is the value default which includes the WAN IP address and the far-end WAN IP Gateway.  I am capturing alerts correctly on my LAN.  Attached is a partial screenshot from the Alerts tab showing some recent LAN hits.

    At the moment I really don't know what could be causing your setup not function the same as mine.

    Bill




  • One other thought occurred to me.  You posted a screenshot showing only a single Snort logged alert on your LAN interface, but that was a broadcast packet.  Do you have any other LAN alerts?  Could it be that something in your routing/networking configuration is allowing your LAN hosts to get out via a different route that does not include the LAN interface of your pfSense box?  Just asking.  It is highly unusual that you are getting no LAN alerts.

    Have you tried running a Wireshark capture on the LAN side to see if the traffic you are attempting to catch is actually traversing the interface?

    Bill


Log in to reply