ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001215 | ClearOS | app-intrusion-detection - Intrusion Detection | public | 2013-07-08 05:46 | 2013-08-21 21:20 |
|
| Reporter | NickH | |
| Assigned To | user2 | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 6.4.0 | |
| Target Version | 6.5.0 Beta 1 | Fixed in Version | 6.5.0 Beta 1 | |
|
| Summary | 0001215: In snort.conf HOME_NET needs configuring with better defaults or automatically |
| Description | In snort.conf there is a parameter HOME_NET which, by default is set to "any". This works with the default rule set but is prone to fail wth more advanced rules such as some of those from Emerging Threats. This is because they sometimes use the notation ! $HOME_NET which resolves to !any, and !any is not allowed in snort.
There are a couple of workrounds which come to mind:
1 - Configure HOME_NET to the current LAN subnets automatically by some background magic which fires when the LAN's are changed
2 - Set HOME_NET to [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]. This is a quick and dirty fix to set it to all private LAN ranges. |
| Steps To Reproduce | n/a |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | 0001225 | closed | user2 | Remove old network configuration munging in init script |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2013-07-08 05:46 | NickH | New Issue | |
| 2013-07-08 07:16 | user2 | Assigned To | => user2 |
| 2013-07-08 07:16 | user2 | Status | new => confirmed |
| 2013-07-08 09:36 | user2 | Note Added: 0000918 | |
| 2013-07-13 08:16 | NickH | Note Added: 0000926 | |
| 2013-07-15 07:46 | user2 | Relationship added | related to 0001225 |
| 2013-07-15 07:50 | user2 | Note Added: 0000927 | |
| 2013-08-02 10:10 | user2 | Status | confirmed => resolved |
| 2013-08-02 10:10 | user2 | Fixed in Version | => 6.5.0 Beta 1 |
| 2013-08-02 10:10 | user2 | Resolution | open => fixed |
| 2013-08-21 15:02 | user2 | Target Version | => 6.5.0 Beta 1 |
| 2013-08-21 15:03 | user2 | Checkin | |
| 2013-08-21 15:03 | user2 | Note Added: 0000981 | |
| 2013-08-21 15:03 | user2 | Category | snort => app-intrusion-detection - Intrusion Detection |
| 2013-08-21 21:20 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0000918)
|
|
user2
|
|
2013-07-08 09:36
|
|
This is much easier to do with the clearsync/event system in ClearOS 6 :-)
When a network configuration change happens, the system (clearsync) will run any script found in /var/clearos/events/network_configuration. It would be a matter of writing a script (shell, PHP, etc) to munge the HOME_NET parameter in snort.conf. If someone wants to give this a try, here are a couple of tips:
1) It should be possible to disable automagic through a configuration file, e.g. add a configuration file /etc/clearos/intrusion_detection.conf:
automagic=yes
2) The snort.conf change should only happen when something actually changes |
|
|
|
(0000926)
|
|
NickH
|
|
2013-07-13 08:16
|
|
The code is all in the /etc/init.d/snort file but it is buggy.
If you change:
for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $AUTOMAGIC_EXTNETS; do
to
for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $EXTRALANS; do
and
sed -i -e "s/^var HOME_NET.*/var HOME_NET [${NETLIST}]/" /etc/snort.conf
to
sed -i -e "s/^ipvar HOME_NET.*/ipvar HOME_NET [${NETLIST}]/" /etc/snort.conf
then HOME_NET gets defined correctly. Note in the first line I changed I dropped the $AUTOMAGIC_EXTNETS. I am not sure why that is there but it gives my WAN subnet which seems to be wrong. If it is not needed the code:
# AUTOMAGIC_EXTNETS was added with multi-WAN support.
# Use old AUTOMAGIC_EXTNET (no S) if AUTOMAGIC_EXTNETS does not exist.
if [ -z "$AUTOMAGIC_EXTNETS" ]; then
AUTOMAGIC_EXTNETS="$AUTOMAGIC_EXTNET"
fi
can be removed. |
|
|
|
(0000927)
|
|
user2
|
|
2013-07-15 07:50
|
|
|
I just added 0001225 - remove the code from the init script. Getting there :-) |
|
|
|
(0000981)
|
|
user2
|
|
2013-08-21 15:03
|
|
Source Code Changelog
---------------------------------------------------
- Migrated network auto configuration [tracker 0001215]
File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6403 [^]
U webconfig/apps/intrusion_detection/trunk/deploy/info.php
A webconfig/apps/intrusion_detection/trunk/deploy/upgrade
U webconfig/apps/intrusion_detection/trunk/packaging/app-intrusion-detection.spec
A webconfig/apps/intrusion_detection/trunk/packaging/network-connected-event
|
|