ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001215ClearOSapp-intrusion-detection - Intrusion Detectionpublic2013-07-08 05:462013-08-21 21:20
ReporterNickH 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.4.0 
Target Version6.5.0 Beta 1Fixed in Version6.5.0 Beta 1 
Summary0001215: In snort.conf HOME_NET needs configuring with better defaults or automatically
DescriptionIn snort.conf there is a parameter HOME_NET which, by default is set to "any". This works with the default rule set but is prone to fail wth more advanced rules such as some of those from Emerging Threats. This is because they sometimes use the notation ! $HOME_NET which resolves to !any, and !any is not allowed in snort.
There are a couple of workrounds which come to mind:
1 - Configure HOME_NET to the current LAN subnets automatically by some background magic which fires when the LAN's are changed
2 - Set HOME_NET to [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]. This is a quick and dirty fix to set it to all private LAN ranges.
Steps To Reproducen/a
TagsNo tags attached.
Attached Files

- Relationships
related to 0001225closeduser2 Remove old network configuration munging in init script 

-  Notes
(0000918)
user2
2013-07-08 09:36

This is much easier to do with the clearsync/event system in ClearOS 6 :-)

When a network configuration change happens, the system (clearsync) will run any script found in /var/clearos/events/network_configuration. It would be a matter of writing a script (shell, PHP, etc) to munge the HOME_NET parameter in snort.conf. If someone wants to give this a try, here are a couple of tips:

1) It should be possible to disable automagic through a configuration file, e.g. add a configuration file /etc/clearos/intrusion_detection.conf:

automagic=yes

2) The snort.conf change should only happen when something actually changes
(0000926)
NickH (developer)
2013-07-13 08:16

The code is all in the /etc/init.d/snort file but it is buggy.

If you change:

for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $AUTOMAGIC_EXTNETS; do
to
for NET in $AUTOMAGIC_LANNETS $AUTOMAGIC_DMZNETS $EXTRALANS; do

and

sed -i -e "s/^var HOME_NET.*/var HOME_NET [${NETLIST}]/" /etc/snort.conf
to
sed -i -e "s/^ipvar HOME_NET.*/ipvar HOME_NET [${NETLIST}]/" /etc/snort.conf

then HOME_NET gets defined correctly. Note in the first line I changed I dropped the $AUTOMAGIC_EXTNETS. I am not sure why that is there but it gives my WAN subnet which seems to be wrong. If it is not needed the code:

    # AUTOMAGIC_EXTNETS was added with multi-WAN support.
    # Use old AUTOMAGIC_EXTNET (no S) if AUTOMAGIC_EXTNETS does not exist.
    
    if [ -z "$AUTOMAGIC_EXTNETS" ]; then
        AUTOMAGIC_EXTNETS="$AUTOMAGIC_EXTNET"
    fi

can be removed.
(0000927)
user2
2013-07-15 07:50

I just added 0001225 - remove the code from the init script. Getting there :-)
(0000981)
user2
2013-08-21 15:03

Source Code Changelog
---------------------------------------------------
- Migrated network auto configuration [tracker 0001215]

File Changes
---------------------------------------------------
Details: http://code.clearfoundation.com/svn/revision.php?repname=ClearOS&rev=6403 [^]
U webconfig/apps/intrusion_detection/trunk/deploy/info.php
A webconfig/apps/intrusion_detection/trunk/deploy/upgrade
U webconfig/apps/intrusion_detection/trunk/packaging/app-intrusion-detection.spec
A webconfig/apps/intrusion_detection/trunk/packaging/network-connected-event

- Issue History
Date Modified Username Field Change
2013-07-08 05:46 NickH New Issue
2013-07-08 07:16 user2 Assigned To => user2
2013-07-08 07:16 user2 Status new => confirmed
2013-07-08 09:36 user2 Note Added: 0000918
2013-07-13 08:16 NickH Note Added: 0000926
2013-07-15 07:46 user2 Relationship added related to 0001225
2013-07-15 07:50 user2 Note Added: 0000927
2013-08-02 10:10 user2 Status confirmed => resolved
2013-08-02 10:10 user2 Fixed in Version => 6.5.0 Beta 1
2013-08-02 10:10 user2 Resolution open => fixed
2013-08-21 15:02 user2 Target Version => 6.5.0 Beta 1
2013-08-21 15:03 user2 Checkin
2013-08-21 15:03 user2 Note Added: 0000981
2013-08-21 15:03 user2 Category snort => app-intrusion-detection - Intrusion Detection
2013-08-21 21:20 user2 Status resolved => closed