Bug #14645
closed
Snort interface "External Net" (EXTERNAL_NET) custom IP list should have negation when expanded
100%
Description
Hello,
I'm not really good with Snort but all my search results confirm that it is common to have EXTERNAL_NET config variable defined as !HOME_NET by default. This should include all networks except those in HOME_NET . Default pfSense HOME_NET list includes local interfaces subnets, DNS servers, loopback IPs. Default EXTERNAL_NET includes the same list of IPs/networks but with ! in front of each entry - pretty much the same as with !HOME_NET approach. That's great.
Example VM entries from final snort config (/usr/local/etc/snort/snort_53008_vtnet0/snort.conf here), public IPs and DNS servers redacted.
# Define Local Network # ipvar HOME_NET [DNS1,WANGW,WANIP,127.0.0.1,192.168.1.0/24,DNS2,::1,fe80::1:1,fe80::c3b:98ff:fece:9315] ipvar EXTERNAL_NET [!DNS1,!WANGW,!WANIP,!127.0.0.1,!192.168.1.0/24,!DNS2,!::1,!fe80::1:1,!fe80::c3b:98ff:fece:9315]
However, if we create a new passlist on /snort/snort_passlist.php page, we can not include negation (exclamation mark) into definition (neither on passlist page nor on IP alias page) and the networks will not be prepended with ! in final Snort config file.
Example config with custom passlist (some IPs/network added as aliases and simple IPs for testing)
ipvar HOME_NET [DNS1,WANGW,WANIP,127.0.0.1,192.168.1.0/24,DNS2,::1,fe80::1:1,fe80::c3b:98ff:fece:9315] ipvar EXTERNAL_NET [[10.11.12.13,DNS1,WANGW,WANIP,127.0.0.1,192.168.1.0/24,192.168.33.0/28,192.168.50.33,DNS2,fe80::1:1,fe80::c3b:98ff:fece:9315]]
Also please note that EXTERNAL_NET here has double square brackets now (not sure if this should be fixed)
If we use the same custom passlist for both HOME_NET and EXTERNAL_NET we have correct HOME_NET but same broken EXTERNAL_NET.
# Define Local Network # ipvar HOME_NET [10.11.12.13,DNS1,WANGW,WANIP,127.0.0.1,192.168.1.0/24,192.168.33.0/28,192.168.50.33,DNS2,::1,fe80::1:1,fe80::c3b:98ff:fece:9315] ipvar EXTERNAL_NET [[10.11.12.13,DNS1,WANGW,WANIP,127.0.0.1,192.168.1.0/24,192.168.33.0/28,192.168.50.33,DNS2,fe80::1:1,fe80::c3b:98ff:fece:9315]]
Current behavior silently breaks many (most?) IDS rules, because they depend on correct EXTERNAL_NET definition, and we effectively have HOME_NET with some modifications instead of actual EXTERNAL_NET we want.
We can work around defining custom EXTERNAL_NET pass lists as all subnets before and after required HOME_NET IPs/Networks. But that's a lot of networks to include in the definition, for example for 10.11.12.13 we have to include 0.0.0.0/5, 8.0.0.0/7, 10.xxx networks before and after 10.11.12.13, then 11.xx, 12.xx and everything up to 255.255.255.255.
So I think GUI should prepend all entries in final config with ! as it does with default passlist. And maybe remove second square bracket set (sorry for being noob here :D).
Thank you.
Updated by 
Updated by 
Updated by