ClearFoundation Tracker - ClearOS
View Issue Details
0001215ClearOSapp-intrusion-detection - Intrusion Detectionpublic2013-07-08 05:462013-08-21 21:20
NickH 
user2 
normalminoralways
closedfixed 
6.4.0 
6.5.0 Beta 16.5.0 Beta 1 
0001215: In snort.conf HOME_NET needs configuring with better defaults or automatically
In snort.conf there is a parameter HOME_NET which, by default is set to "any". This works with the default rule set but is prone to fail wth more advanced rules such as some of those from Emerging Threats. This is because they sometimes use the notation ! $HOME_NET which resolves to !any, and !any is not allowed in snort.
There are a couple of workrounds which come to mind:
1 - Configure HOME_NET to the current LAN subnets automatically by some background magic which fires when the LAN's are changed
2 - Set HOME_NET to [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]. This is a quick and dirty fix to set it to all private LAN ranges.
n/a
No tags attached.
related to 0001225closed user2 Remove old network configuration munging in init script 
Issue History
2013-07-08 05:46NickHNew Issue
2013-07-08 07:16user2Assigned To => user2
2013-07-08 07:16user2Statusnew => confirmed
2013-07-08 09:36user2Note Added: 0000918
2013-07-13 08:16NickHNote Added: 0000926
2013-07-15 07:46user2Relationship addedrelated to 0001225
2013-07-15 07:50user2Note Added: 0000927
2013-08-02 10:10user2Statusconfirmed => resolved
2013-08-02 10:10user2Fixed in Version => 6.5.0 Beta 1
2013-08-02 10:10user2Resolutionopen => fixed
2013-08-21 15:02user2Target Version => 6.5.0 Beta 1
2013-08-21 15:03user2Checkin
2013-08-21 15:03user2Note Added: 0000981
2013-08-21 15:03user2Categorysnort => app-intrusion-detection - Intrusion Detection
2013-08-21 21:20user2Statusresolved => closed

Notes
(0000918)
user2   
2013-07-08 09:36   
This is much easier to do with the clearsync/event system in ClearOS 6 :-)

When a network configuration change happens, the system (clearsync) will run any script found in /var/clearos/events/network_configuration. It would be a matter of writing a script (shell, PHP, etc) to munge the HOME_NET parameter in snort.conf. If someone wants to give this a try, here are a couple of tips:

1) It should be possible to disable automagic through a configuration file, e.g. add a configuration file /etc/clearos/intrusion_detection.conf:

automagic=yes

2) The snort.conf change should only happen when something actually changes
(0000926)
NickH   
2013-07-13 08:16   
The code is all in the /etc/init.d/snort file but it is buggy.

If you change:

for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $AUTOMAGIC_EXTNETS; do
to
for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $EXTRALANS; do

and

sed -i -e "s/^var HOME_NET.*/var HOME_NET [${NETLIST}]/" /etc/snort.conf
to
sed -i -e "s/^ipvar HOME_NET.*/ipvar HOME_NET [${NETLIST}]/" /etc/snort.conf

then HOME_NET gets defined correctly. Note in the first line I changed I dropped the $AUTOMAGIC_EXTNETS. I am not sure why that is there but it gives my WAN subnet which seems to be wrong. If it is not needed the code:

    # AUTOMAGIC_EXTNETS was added with multi-WAN support.
    # Use old AUTOMAGIC_EXTNET (no S) if AUTOMAGIC_EXTNETS does not exist.
    
    if [ -z "$AUTOMAGIC_EXTNETS" ]; then
        AUTOMAGIC_EXTNETS="$AUTOMAGIC_EXTNET"
    fi

can be removed.
(0000927)
user2   
2013-07-15 07:50   
I just added 0001225 - remove the code from the init script. Getting there :-)
(0000981)
user2   
2013-08-21 15:03   
Source Code Changelog
---------------------------------------------------
- Migrated network auto configuration [tracker 0001215]

File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6403 [^]
U webconfig/apps/intrusion_detection/trunk/deploy/info.php
A webconfig/apps/intrusion_detection/trunk/deploy/upgrade
U webconfig/apps/intrusion_detection/trunk/packaging/app-intrusion-detection.spec
A webconfig/apps/intrusion_detection/trunk/packaging/network-connected-event