Change Homenet Snort
-
Hi guys
I have a bunch of VLAN's configured on my snort box. Now I'm trying to set up snort only for a few Interfaces. The main problem is that if I add a VLAN interface to snort all networks are listed in the default homenet.
How can I create a homenet for each interface ?
I'm running on pfsense 2.1-release and Snort 2.9.5.5 pkg v3.0.1
regards
supermega
-
Hi guys
I have a bunch of VLAN's configured on my snort box. Now I'm trying to set up snort only for a few Interfaces. The main problem is that if I add a VLAN interface to snort all networks are listed in the default homenet.
How can I create a homenet for each interface ?
I'm running on pfsense 2.1-release and Snort 2.9.5.5 pkg v3.0.1
regards
supermega
The default in the GUI is to automatically add all locally-attached networks to HOME_NET. You can defeat this and configure your own HOME_NET, but the process is counterintuitive.
-
First, create an Alias containing the subnet you want to be HOME_NET for the interface. Do this under Firewall…Aliases.
-
Now go to the Whitelists tab and create a new whitelist. Give a name that is related to the interface and then maybe add homenet on the end (optional).
-
In this new whitelist, under the "Add auto-generated IP addresses" section, uncheck Local Networks.
-
At the bottom of the whitelist page, start typing the name of the Alias created in step #1. It should auto-populate. Select it and then save the new whitelist.
-
Lastly, go to the Snort interface where you want to set a custom HOME_NET. Edit the interface and scroll down toward the bottom of the page. In the Home Net drop-down, choose the newly created whitelist. Save the changes and restart Snort on the interface.
The counterintuitive part is that although it says "whitelist", it actually is just a list of networks or hosts that you tell Snort what to do with. For example, it can treat the list as a HOME_NET or as a true whitelist of "never block" IPs.
Bill
-
-
The default in the GUI is to automatically add all locally-attached networks to HOME_NET. You can defeat this and configure your own HOME_NET, but the process is counterintuitive.
If I remember well as an alternative you can define your own HOME_NET also in the "Advanced configuration pass-through" section of the interface settings. The default HOME_NET will be overruled.
-
The default in the GUI is to automatically add all locally-attached networks to HOME_NET. You can defeat this and configure your own HOME_NET, but the process is counterintuitive.
If I remember well as an alternative you can define your own HOME_NET also in the "Advanced configuration pass-through" section of the interface settings. The default HOME_NET will be overruled.
True, this method will also work.
Bill