Snort rules info

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Snort rules info

user8446
Administrator
This post was updated on .
The shield is currently using the Open ruleset from Emerging Threats by Proofpoint: https://www.proofpoint.com/us/threat-intelligence-open-source-community

They post a daily ruleset summary so you can see what was added or deleted when your rules update: http://www.proofpoint.com/us/daily-ruleset-update-summary

The actual rules are here: https://rules.emergingthreats.net/open/snort-edge/rules/

The rules are changed from alert to drop so the packets are dropped.

Here is a new user guide regarding your rules: http://doc.emergingthreats.net/bin/view/Main/NewUserGuide

Here is a rulset FAQ showing what is included in the different categories. It's old though as many of the categories have changed: http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

It's mentioned here and around the web that tuning is critical for your ruleset. This keeps out the false positives and keeps your network fast. If you don't have a certain device, product, or application then you should delete those rules. Itus was getting feedback from users and through testing to also see what rules we're breaking things. Since we are doing it ourselves, it's important to watch the logs and collaborate.

Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

Me_3594
Have you noticed that in Snort Config the setting HOME_NET is a bit loose:

ipvar HOME_NET any
ipvar EXTERNAL_NET any
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET


http://superuser.com/questions/456790/error-while-running-snort suggested to change this to

ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]

or more strickt to whatever your local LAN range is

ipvar HOME_NET [192.168.x.0/24]
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

user8446
Administrator
This post was updated on .
I agree. For bridge mode though it needs to stay on "any" since it's inspecting traffic wan to wan and home is actually your external IP.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

Gnomad
In reply to this post by Me_3594
Since I'm in Router mode, I'm considering making the edit
ipvar HOME_NET [192.168.100.0/24,10.1.1.0/24,10.10.10.0/24]
 where 192.168 is the subnet of my modem, 10.1.1 is my access point (wifi router), and 10.10.10.10 is of course the Shield.

Similarly then, I should be able to change
ipvar EXTERNAL_NET any
 to
ipvar EXTERNAL_NET !$HOME_NET
Any issues anyone can spot?
Should I be treating the modem subnet as external too?
Router 1.51 SP1, fw_upgrade v8.3.3
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

Roadrunnere42
Hi
I tried
ipvar EXTERNAL_NET !$HOME_NET

but shield refused to connect to internet so I put in  the ip of router instead all worked, but i'm not sure if this is correct

ipvar EXTERNAL_NET 192.168.0.1

roadrunnere42
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

user8446
Administrator
In reply to this post by Gnomad
Gnomad wrote
Since I'm in Router mode, I'm considering making the edit
ipvar HOME_NET [192.168.100.0/24,10.1.1.0/24,10.10.10.0/24]
 where 192.168 is the subnet of my modem, 10.1.1 is my access point (wifi router), and 10.10.10.10 is of course the Shield.

Similarly then, I should be able to change
ipvar EXTERNAL_NET any
 to
ipvar EXTERNAL_NET !$HOME_NET
Any issues anyone can spot?
Should I be treating the modem subnet as external too?

On the external it wouldn't break anything but it wouldn't achieve anything either. That would just exclude your IP's on external that you put into the home. Since your LAN isn't on the internet and hidden behind NAT, it would be the same as any.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

user8446
Administrator
This post was updated on .
In reply to this post by Roadrunnere42
Roadrunnere42 wrote
Hi
I tried
ipvar EXTERNAL_NET !$HOME_NET

but shield refused to connect to internet so I put in  the ip of router instead all worked, but i'm not sure if this is correct

ipvar EXTERNAL_NET 192.168.0.1

roadrunnere42

It didn't work because that syntax would cancel itself out. It's saying external IP's can be anything BUT what is listed in home_net which is ANY. You would need to have something listed in home_net. Also, you basically disabled your rules where you put in your internal IP for your external. You want that to be ANY.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Snort rules info

Gnomad
In reply to this post by user8446
user8446 wrote
Gnomad wrote
Since I'm in Router mode, I'm considering making the edit
ipvar HOME_NET [192.168.100.0/24,10.1.1.0/24,10.10.10.0/24]
 where 192.168 is the subnet of my modem, 10.1.1 is my access point (wifi router), and 10.10.10.10 is of course the Shield.

Similarly then, I should be able to change
ipvar EXTERNAL_NET any
 to
ipvar EXTERNAL_NET !$HOME_NET
Any issues anyone can spot?
Should I be treating the modem subnet as external too?
On the external it wouldn't break anything but it wouldn't achieve anything either. That would just exclude your IP's on external that you put into the home. Since your LAN isn't on the internet and hidden behind NAT, it would be the same as any.
I take your point, but from the perspective of the router, my access point holds a 10.10.10.X DHCP lease.  So I do at least want to exclude the 10.10.10 subnet from the external ruleset.  Maybe the below would be more accurate then, just not sure whether the ![10.10.10.0/24] syntax would be exactly correct.
ipvar EXTERNAL_NET ![10.10.10.0/24]
Router 1.51 SP1, fw_upgrade v8.3.3