Change Homenet Snort



  • Hi guys

    I have a bunch of VLAN's configured on my snort box. Now I'm trying to set up snort only for a few Interfaces. The main problem is that if I add a VLAN interface to snort all networks are listed in the default homenet.

    How can I create a homenet for each interface ?

    I'm running on pfsense 2.1-release and Snort 2.9.5.5 pkg v3.0.1

    regards

    supermega



  • @supermega:

    Hi guys

    I have a bunch of VLAN's configured on my snort box. Now I'm trying to set up snort only for a few Interfaces. The main problem is that if I add a VLAN interface to snort all networks are listed in the default homenet.

    How can I create a homenet for each interface ?

    I'm running on pfsense 2.1-release and Snort 2.9.5.5 pkg v3.0.1

    regards

    supermega

    The default in the GUI is to automatically add all locally-attached networks to HOME_NET.  You can defeat this and configure your own HOME_NET, but the process is counterintuitive.

    • First, create an Alias containing the subnet you want to be HOME_NET for the interface.  Do this under Firewall…Aliases.

    • Now go to the Whitelists tab and create a new whitelist.  Give a name that is related to the interface and then maybe add homenet on the end (optional).

    • In this new whitelist, under the "Add auto-generated IP addresses" section, uncheck Local Networks.

    • At the bottom of the whitelist page, start typing the name of the Alias created in step #1.  It should auto-populate.  Select it and then save the new whitelist.

    • Lastly, go to the Snort interface where you want to set a custom HOME_NET.  Edit the interface and scroll down toward the bottom of the page.  In the Home Net drop-down, choose the newly created whitelist.  Save the changes and restart Snort on the interface.

    The counterintuitive part is that although it says "whitelist", it actually is just a list of networks or hosts that you tell Snort what to do with.  For example, it can treat the list as a HOME_NET or as a true whitelist of "never block" IPs.

    Bill



  • The default in the GUI is to automatically add all locally-attached networks to HOME_NET.  You can defeat this and configure your own HOME_NET, but the process is counterintuitive.

    If I remember well as an alternative you can define your own HOME_NET also in the "Advanced configuration pass-through" section of the interface settings. The default HOME_NET will be overruled.



  • @gogol:

    The default in the GUI is to automatically add all locally-attached networks to HOME_NET.  You can defeat this and configure your own HOME_NET, but the process is counterintuitive.

    If I remember well as an alternative you can define your own HOME_NET also in the "Advanced configuration pass-through" section of the interface settings. The default HOME_NET will be overruled.

    True, this method will also work.

    Bill


Log in to reply