Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Question about !HOME_NET

from [Nick Baronian] Network Security [Permanent Link]
Subject: Re: [Snort-users] Question about !HOME_NET
Date: Wed, 11 Oct 2006 15:50:47 -0400 
I think my rule is right but for some reason it doesn't create an
alert file and it is logging every packet.

Local.rules is the only rule and that is
alert ip !$HOME_NET any -> $EXTERNAL_NET any (msg:"External IP detected";)

My snort.conf looks like
var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan
preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes
preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }
preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow
 ruletype holycrap
 {
   type alert
   output alert_syslog: LOG_AUTH LOG_ALERT
 }
include classification.config
include reference.config
include $RULE_PATH/local.rules

I am starting snort by using the following -
# snort -e -i eth1 -l /var/log/snort -D -s -k none &
I tossed the -k in there because I ran across that phantom pcap chksum
bug thingie last week when playing around with Snort on Fedora and
this is a RHWS4 box.

As soon as I start Snort it starts writing a snort.log and no alert
file.  The snort.log quickly becomes huge and appears to be logging
everything.  It contains stuff like
15:18:28.420291 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0
15:18:28.420301 IP 64.86.105.235.rtsp > 172.30.19.40.4089: tcp 1380
15:18:28.420322 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0
15:18:28.420331 IP 172.30.19.40.4089 > 64.86.105.230.rtsp: tcp 0
15:18:28.420340 IP 10.20.208.28.4641 > 64.86.105.230.http: tcp 0
15:18:28.420349 IP 10.20.7.18.3624 > 68.178.236.24.http: tcp 0
15:18:28.420415 IP 172.16.25.27.syslog > 172.16.15.17.syslog: UDP, length 78

If my rule is right, the snort.log shouldn't have any of the
172.30/16's, nor any 10.20.x.x addresses in it, right?
Does anyone see what I am doing wrong?

Thanks,
Nick

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Question about !HOME_NET, Nick Baronian
Next by Date:  Re: [Snort-users] Question about !HOME_NET, Todd Wease
Previous by Thread:  Re: [Snort-users] Question about !HOME_NET, Nick Baronian
Next by Thread:  Re: [Snort-users] Question about !HOME_NET, Todd Wease
Indexes:  [Date] [Thread] [Top] [All Lists]