What are Snort HOME_NET and EXTERNAL_NET Variables?! Snort rules rely on variables to know what traffic they should inspect and what to ignore. Each Snort rule has a header where a bunch of variables are defined such as the action to be taken, protocol, source IP, source port, destination IP and destination port. The most important two bits among these variables are the source and destination IP addresses. These two variables define what should be protected and what should not. In Snort language these two variables are called HOME_NET and EXTERNAL_NET. HOME_NET should include all the IP addresses that Firepower should protect which means all our IP addresses whether private or public, but what about the EXTERNAL_NET?! should it be anything else except our protected IP addresses defined in our HOME_NET?! or should it be anything including our HOME_NET?! let’s find out together :).

Let’s assume we have a Firepower appliance with three segments, the inside where we have our internal hosts on subnet 192.168.0.0/24, the DMZ where we have our servers on subnet 10.10.10.0/24, and the outside segment which is directly connected to the internet:

 

 

We will define our variable set as follows:

 

HOME_NET = 192.168.0.0/24 & 10.10.10.0/24

EXTERNAL_NET = Anything except HOME_NET

 

Excluding the HOME_NET from the EXTERNAL_NET is a common thing among the majority of us. We will see later in this post if this is a good thing to do or not.

Let’s define our variable set. To do so from FMC we need to go to Objects -> Object Management -> Variable Set and click on the pencil icon on the top right:

 

Edit SNORT HOME_NET & EXTERNAL_NET VARIABLE SETS

 

Click on the pencil icon next to HOME_NET:

 

Edit_HOME_NET

 

Search for the two variables that include our subnets and click Include and save:

 

Include_internal_subnets

 

HOME_NET_internal_subnets

 

Click on the pencil icon next to EXTERNAL_NET:

 

Edit_EXTERNAL_NET

 

Search for the HOME_NET variable and click Exclude and save:

 

Exclude_HOME_NET

 

EXTERNAL_NET_subnets

 

Here is how Snort HOME_NET and EXTERNAL_NET Variables look like now:

 

SNORT HOME_NET & EXTERNAL_NET VARIABLE SETS new changes

 

The exclamation mark used in the EXTERNAL_NET variable means “not equal to”, so our EXTERNAL_NET variable is defined as anything but our HOME_NET.

 

Save the changes:

 

SNORT HOME_NET & EXTERNAL_NET VARIABLE SETS save changes

 

Now let’s take this random Snort rule as an example:

 

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”SERVER-APACHE Apache HTTP Server mod_http2 denial of service attempt”; flow:to_server,established; content:”|01 00 00 00 00 01|”; content:”|09 01 00 00 00 01|”; within:50; content:”|09 01 00 00 00 01|”; within:25; content:”|09 01 00 00 00 01|”; within:25; metadata:service http; reference:cve,2016-8740; classtype:denial-of-service; sid:41688; rev:1; gid:1; )

 

Let’s assume there is an ongoing attack from the internet against our server in the DMZ segment. Based on the variable set we defined Snort should be able to see this attack because the traffic coming from the internet would fall into the EXTERNAL_NET variable and the traffic going to our server would fall in the HOME_NET variable. Same would happen if the attack is conducted against our internal host. Good, now let’s take another example.

Let’s say our internal host in the inside segment is now the attacker so the attack now is conducted from our internal host to the server in the DMZ. Would Snort see this attack?! the answer is no. The reason why Snort would not be aware about this attack at all is because this time as we can see the traffic coming from our internal host would not fall in the EXTERNAL_NET variable because the EXTERNAL_NET variable we defined includes everything except our HOME_NET and accordingly Snort rule will not be matched, this is why Snort in case is totally blind.

To fix this we need to include our HOME_NET into the EXTERNAL_NET variable, we can do so by reverting the EXTERNAL_NET variable to its default value which is any. By doing so, Snort now can see the attack coming from our internal host going to the server because this time the traffic coming from our internal host would fall into the EXTERNAL_NET variable which means Snort rule will be matched.

To revert the EXTERNAL_NET variable to its default value we need to click on the curved green arrow and save our changes:

 

EXTERNAL_NET_reset_to_default

 

SNORT EXTERNAL_NET VARIABLE default

 

As we can see now the EXTERNAL_NET variable moved to the Default Variables section, don’t forget to save the new changes.

I hope you enjoyed reading this Snort HOME_NET and EXTERNAL_NET Variables post and why we should include our HOME_NET in EXTERNAL_NET. As always, I would love to hear your feedback. Thanks for reading!

 

Did you like this post?

Click on a star to rate it!

Average rating / 5. Vote count:

Follow me on social media!

I am sorry that this post was not useful for you!

Share via: