ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001215ClearOSapp-intrusion-detection - Intrusion Detectionpublic2013-07-08 05:462013-08-21 21:20
Assigned Touser2 
PlatformOSOS Version
Product Version6.4.0 
Target Version6.5.0 Beta 1Fixed in Version6.5.0 Beta 1 
Summary0001215: In snort.conf HOME_NET needs configuring with better defaults or automatically
DescriptionIn snort.conf there is a parameter HOME_NET which, by default is set to "any". This works with the default rule set but is prone to fail wth more advanced rules such as some of those from Emerging Threats. This is because they sometimes use the notation ! $HOME_NET which resolves to !any, and !any is not allowed in snort.
There are a couple of workrounds which come to mind:
1 - Configure HOME_NET to the current LAN subnets automatically by some background magic which fires when the LAN's are changed
2 - Set HOME_NET to [,,]. This is a quick and dirty fix to set it to all private LAN ranges.
Steps To Reproducen/a
TagsNo tags attached.
Attached Files

- Relationships
related to 0001225closeduser2 Remove old network configuration munging in init script 

-  Notes
2013-07-08 09:36

This is much easier to do with the clearsync/event system in ClearOS 6 :-)

When a network configuration change happens, the system (clearsync) will run any script found in /var/clearos/events/network_configuration. It would be a matter of writing a script (shell, PHP, etc) to munge the HOME_NET parameter in snort.conf. If someone wants to give this a try, here are a couple of tips:

1) It should be possible to disable automagic through a configuration file, e.g. add a configuration file /etc/clearos/intrusion_detection.conf:


2) The snort.conf change should only happen when something actually changes
NickH (developer)
2013-07-13 08:16

The code is all in the /etc/init.d/snort file but it is buggy.

If you change:



sed -i -e "s/^var HOME_NET.*/var HOME_NET [${NETLIST}]/" /etc/snort.conf
sed -i -e "s/^ipvar HOME_NET.*/ipvar HOME_NET [${NETLIST}]/" /etc/snort.conf

then HOME_NET gets defined correctly. Note in the first line I changed I dropped the $AUTOMAGIC_EXTNETS. I am not sure why that is there but it gives my WAN subnet which seems to be wrong. If it is not needed the code:

    # AUTOMAGIC_EXTNETS was added with multi-WAN support.
    # Use old AUTOMAGIC_EXTNET (no S) if AUTOMAGIC_EXTNETS does not exist.
    if [ -z "$AUTOMAGIC_EXTNETS" ]; then

can be removed.
2013-07-15 07:50

I just added 0001225 - remove the code from the init script. Getting there :-)
2013-08-21 15:03

Source Code Changelog
- Migrated network auto configuration [tracker 0001215]

File Changes
Details: [^]
U webconfig/apps/intrusion_detection/trunk/deploy/info.php
A webconfig/apps/intrusion_detection/trunk/deploy/upgrade
U webconfig/apps/intrusion_detection/trunk/packaging/app-intrusion-detection.spec
A webconfig/apps/intrusion_detection/trunk/packaging/network-connected-event

- Issue History
Date Modified Username Field Change
2013-07-08 05:46 NickH New Issue
2013-07-08 07:16 user2 Assigned To => user2
2013-07-08 07:16 user2 Status new => confirmed
2013-07-08 09:36 user2 Note Added: 0000918
2013-07-13 08:16 NickH Note Added: 0000926
2013-07-15 07:46 user2 Relationship added related to 0001225
2013-07-15 07:50 user2 Note Added: 0000927
2013-08-02 10:10 user2 Status confirmed => resolved
2013-08-02 10:10 user2 Fixed in Version => 6.5.0 Beta 1
2013-08-02 10:10 user2 Resolution open => fixed
2013-08-21 15:02 user2 Target Version => 6.5.0 Beta 1
2013-08-21 15:03 user2 Checkin
2013-08-21 15:03 user2 Note Added: 0000981
2013-08-21 15:03 user2 Category snort => app-intrusion-detection - Intrusion Detection
2013-08-21 21:20 user2 Status resolved => closed