security
Stop snort detecting local traffic
I use the rather excellent and Open Source snort to help monitor and protect my network. However, it was causing muchos havoc with my VNC, SSH and samba connections. I found out this was all down to (as is sadly normal for most opensource projects) confusion related to the configuration.
In the snort.conf file, you are meant to set you home network (the place you are protecting, but don’t want to detect), using
HOME_NET XXX.XXX.X.XXX
And then your external network (the place where attacks might come from and do want to detect) using
EXTERNAL_NET XXX.XXX.X.XXX
Now, the method the configuration and snort documentation tells you to use is, to basically tell snort that anything that isn’t in your home network is in your external nework, so
EXTERNAL_NET !HOME_NETWORK
The exclamation basically meaning NOT. However, if you put an IP address string as your home network, for example (as is suggested in the configuration)
HOME_NET 192.168.1.1/24
for some reason, using !HOME_NETWORK for your external network doesn’t work and snort will happily go and detect all traffic coming from your local network…GRR. Luckily, after some Googling I came across this message and found that the way to get EXTERNAL_NETWORK to work correctly was to use
EXTERNAL_NET [!192.168.1./24]
Finally, snort no longer goes ape about my local traffic and now only finds the retarded script kiddies from Russia and China and the Netherlands (since that is where most of the attacks I get come from) and blocks them. Thanks mailing list, no thanks snort.conf….
The Quest For Security
So, I have been pretty quiet of late, sorry about that. Well, the main reason was it was Xmas a while back, but also, I have been doing LOADS of research into security on the web.
For the past few months I have been toying with the idea of implementing a security device on my network that would take all the leg work of antivirus and intrusion detection and prevention off each PC on the network and get a dedicated machine to do it.
It turns out there are lots of options out there to do this, so I dabbled with a few.
The first I checked out was http://www.untangle.com/. Untanlge basically is a special Debian distro with lots of preconfigured security tools, like ClamAV for antivirus, snort_inline for intrusion prevention and iptables for a firewall. It comes with a very easy to use web interface making it idiot proof. However, I came across a few problems. First, it needs a PC with two NICS to be used as a dedicted server, something I didn’t have. Second, you can use it on a Windows XP machine, but it installing a Virutal Machine via VMPlayer, it then automagicaly reconfigures your network so that all traffic is routed through it first. However, this also wasn’t a great solution since it means you need to have a machine effectively running to OSs at once (Windows XP and the Virtual Machine) and also it did not work with my Vista lappie. Finally, it also prevented me from browsing gmail, so it was a no go for me – although some fix to do with Socks5 was the cure.
Second, I tried rolling my own system using snort_inline (http://snort-inline.sourceforge.net/), ClamAV, iptables and Ubuntu. This is what has taken me an age. I have never built any app from source before and it took me a long time to figure out what to do. Plus, I wanted to run this on a low power box and the only one I had available that had two NICS was an old thin client that runs of a USB 2.0 harddrive, so it aint that fast at all. However, I have finally managed got snort_inline running, with a ClamAV preprocessor and logging to mySQL. So far it is only scanning all the traffic coming into my network, I haven’t yet got it to actually prevent anything yet.
I finally tried out an interesting solution http://packetprotector.org/. This is kinda like the untangle solution, except that it all runs off your router. Sadly, all the routers it currently runs off are pretty hard to get hold of here in the UK, but from what I see, it might be the best solution. You get an advanced iptables firewall, snort_inline, dansguardian (content filtering) and ClamAV all running on top of OpenWRT. The only negative I can see is you need to be a bit of a linux guru to know what you are doing if you want to start to customise it (though it does come with the WebIF interface) and that it can bog down pretty quickly. However, to me it seems the best solution, until I get some super powerful server that I can run untangle, or monowall or IPcop or EasyIDS on. There are loads of solutions out there, you just need the right old PC to run it on, or a PC that you think is going to be quiet enough 