Re: Question about !HOME_NET

["Nick Baronian" <kvetch () gmail com>]

Thanks Shirkdog, sorry ya my post wias clear.  I had set EXTERNAL_NET
to !$HOME_NET and I am getting logs for tons of internal addresses
still.  I see a ton like this.
00:04:48.084912 IP 10.20.16.10.3277 > 64.233.167.99.http: tcp 478
I have all other rules commented out right now so the only rule is
alert tcp !$HOME_NET -> $EXTERNAL_NET any (msg:"NonCorp IP detected";)
in other words
alert tcp !$HOME_NET -> !$HOME_NET any (msg:"NonCorp IP detected";)
I am not getting an alert log because I think my rule is right and
nothing has triggered it but the snort.log file is logging everything.
 How can I get it to only log stuff in the rule and ignore the rest?
I can't figure out if the -N flag is what I want because I haven't
seen any nonCorp IP's in weeks so I haven't verified.  I guess I will
need to re-IP a box with a invalid IP to test.

Regarding the policy about people jacking into the network, my address
is 1600 Pennsylvania Avenue, DC ;).  Yeah, we do have policies in
place (plus you can't get into the building without an escort with
you) the nonCorp IP's can't talk to anything but some of the older
switches seem to be broadcasting their request and I want to find
these switches using the link layer of the packet.  We have something
like 70odd locations and I need an easier way than reading the
Firewall logs for catching vendors and whomever plugging into an open
jack with non corp. IP's.  I figure this way Snort can alert me and
log the packet so I can make sure nothing too funny is going on.

Thanks,
Nick

On 10/11/06, M. Shirk <shirkdog_list () hotmail com> wrote:
> Well Snort can help detect such traffic, but you have a problem with your
> security policy and procedures if people are just showing up and jacking
> into the wall and having full access to the network (where is your
> addresss???? ) :-)
>
> Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?
>
> And why are you using ALL of the private addresses? you should be using a
> variable that is something like
>
> var HOME_NET [10.111.0.0/16]
> var EVIL_NET !$HOME_NET
>
>
> More then likely, an on internal network, your sig will fire on every packet
> :-)
>
> Ok finchy, your turn.
>
> Shirkdog
> http://www.shirkdog.us
>
>
>
>
> > From: "Nick Baronian" <kvetch () gmail com>
> > To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
> > Subject: [Snort-users] Question about !HOME_NET
> > Date: Wed, 11 Oct 2006 10:47:00 -0400
> >
> > I am trying to setup a simple rule but it doesn't appear to be
> > working. We have has some issues with people plugging in their laptops
> > to our corp. network. Some of these folks have static addresses and
> > try to send some traffic outbound, while the traffic gets dropped at a
> > firewall I want to log and alert on any non Home_NET IP's trying to go
> > out. I thought it would be fairly easy just set home_net to something
> > like
> > var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
> > [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
> > in snort.conf except local.rule.
> > In local rule set it to something like
> > alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
> > detected";)
> >
> > I then start snort like
> > snort -e -i eth1 -l /u01/snort -s -D &
> >
> > When I look at the log down /u01/snort it lists tons of IP's going
> > from an IP like 10.30 or 172.x.x.x going to some random IP.  How do I
> > get my rules to only log the packets for non-Home_Net IP's trying to
> > talk to other non-Home_Net IP's?
> >
> > Thanks,
> > Nick
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job
> > easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _________________________________________________________________
> Be seen and heard with Windows Live Messenger and Microsoft LifeCams
> http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-us&source=hmtagline
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users