Monday, March 29

Snort -h doesn't do what you think it does.

I've seen a lot of traffic recently of people trying to use "-h" on the Snort command line to specify the variable $HOME_NET, and it's generated a lot of confusion as of late, so I thought I better write about it.

If you look in the manual, every time -h is used, it's used with a network range, or an individual IP, and it's also used with -l, also only used with -vde (otherwise sniffer mode). It's not ever made clear exactly what -h actually does. Similarly if you type:

snort --help

on the command line the -h tag says:
-h Home network =

So, one might think that by doing a -h on the command line, it specifies the HOME_NET variable found in the snort.conf on the command line. Well, as you probably have guessed by now, this is not the case.

So here's the truth: -h actually has nothing to do with the HOME_NET as specified in the snort.conf file.

As we know,
var HOME_NET any

Will specify which direction traffic should be examined in terms of the rules within the detection engine.
var HOME_NET 192.168.0.0/16

In the snort.conf file is then filled in in all the rules that call $HOME_NET. This is not -h.

So, for example, the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)

In my Snort.conf

  • var HOME_NET any

  • var EXTERNAL_NET any



    I get the following alert:

    [**] [1:10000001:0] Alert! [**]

    [Priority: 0]

    03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

    TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

    ***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

    TCP Options (3) => NOP NOP TS: 63957188 2272801581

    If I define HOME_NET in the snort.conf



    • var HOME_NET 192.168.0.0/16

    • var EXTERNAL_NET any



    I still get the alert, okay.



    [**] [1:10000001:0] Alert! [**]

    [Priority: 0]

    03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

    TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

    ***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

    TCP Options (3) => NOP NOP TS: 63957188 2272801581

    If I define HOME_NET in the snort.conf as such:




    • var HOME_NET 72.14.0.0/16

    • var EXTERNAL_NET any



    I don't get an alert, exactly as planned, now... I conduct the same test. Same rule.



    • var HOME_NET any

    • var EXTERNAL_NET any



    In my snort.conf, but this time I am going to specify 192.168.0.0/16 in the -h command line tag.



    [**] [1:10000001:0] Alert! [**]

    [Priority: 0]

    03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

    TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

    ***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

    TCP Options (3) => NOP NOP TS: 63957188 2272801581

    Exactly as before.


    Now if I run -h with 72.14.0.0/16 at the command line I get the following alert



    [**] [1:10000001:0] Alert! [**]

    [Priority: 0]

    03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

    TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

    ***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

    TCP Options (3) => NOP NOP TS: 63957188 2272801581

    Where I should not have. So, no, it doesn't actually specify HOME_NET.


    So if you are trying to specify HOME_NET, you need to do it in the snort.conf file.


    -h, in fact, and after checking with development team and reading the code myself, -h corresponds to how packets are logged. (When using the old "log per directory" mode) However, this isn't very clear in the documentation, or in the --help file. So I've asked the developers to make this a bit more clear what -h does in the documentation as well as the code. It's pretty much only useful for Sniffer mode, not much for IDS mode.

    6 comments:

    Edward Fjellskål said...

    You could probably mention the -S option, which is what you would use if you wanted to specify a variable on the command line..

    -S HOME_NET=[192.168.0.0/16]


    -S variable=value

    Set variable name "variable" to value "value". This is useful for setting the value of a defined variable name in a Snort rules file to a command line specified value. For instance, if you define a HOME_NET variable name inside of a Snort rules file, you can set this value from it’s predefined value at the command line.

    ./ebf0

    Joel said...

    Yes, I left it out intentionally for a future post and to not confuse people. I find it more productive to explain things separately then together. Better results that way and less confusion.

    Edward Fjellskål said...

    You could probably mention the -S option, which is what you would use if you wanted to specify a variable on the command line..

    -S HOME_NET=[192.168.0.0/16]


    -S variable=value

    Set variable name "variable" to value "value". This is useful for setting the value of a defined variable name in a Snort rules file to a command line specified value. For instance, if you define a HOME_NET variable name inside of a Snort rules file, you can set this value from it’s predefined value at the command line.

    ./ebf0

    Edward Fjellskål said...

    You could probably mention the -S option, which is what you would use if you wanted to specify a variable on the command line..

    -S HOME_NET=[192.168.0.0/16]


    -S variable=value

    Set variable name "variable" to value "value". This is useful for setting the value of a defined variable name in a Snort rules file to a command line specified value. For instance, if you define a HOME_NET variable name inside of a Snort rules file, you can set this value from it’s predefined value at the command line.

    ./ebf0

    Joel said...

    Yes, I left it out intentionally for a future post and to not confuse people. I find it more productive to explain things separately then together. Better results that way and less confusion.

    Joel said...

    Yes, I left it out intentionally for a future post and to not confuse people. I find it more productive to explain things separately then together. Better results that way and less confusion.