When monitoring a network one must keep in mind different known or unknown IP addresses. For a monitoring system setup i would first clasify the IPs that i will be interacting with in several categories:
- Machine/network specific addresses
- Home network addresses
- Reserved and assigned addresses
- External network addresses
Each of them can then be split even more, depending on the devices on the home network and what exactly are you monitoring for, but thats a subject for another post. After identifying the exact IP addresses or ranges, variables can be used in the security monitoring setup (Snort variables), thus making some rules easier to add and use. To add Snort IP variables to a Snort configuration file (snort.conf) one must define them like so:
ipvar VAR_NAME [x.x.x.x/x]
Machine/network specific addresses – these IPs have minimal or none impact on your network. These are basically the loopback, link local, default route addresses.
- 0.0.0.0 (default route)
- 127.0.0.0/8 (loopback)
- 169.254.0.0/16 (link-local)
A Snort IP variable for these addresses would be :
ipvar HOME_LOCAL [0.0.0.0,127.0.0.0/8,169.254.0.0/16]
Home network addresses are those assigned by IANA for private use. These IPs are typically what we see in our home, school or office network. There are 3 network ranges known to be assigned for private use:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Regarding these addresses, we would want to know everything about them – basically who and how they are communicating with may indicate a compromise.
ipvar HOME_NET [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]
Reserved and assigned addresses – those IP addresses that are allocated for special purposes – such as multicasting. There are also IP classes at the end of the IP “spectrum” (25X.X.X.X) that are being reserved for future purposes. The most important to keep in mind are :
- 224.0.0.0/8-239.0.0.0/8 – multicast
- 240.0.0.0/8-255.0.0.0/8 – reserved for future use
We could add an IP variable that would look like the following:
ipvar SPECIAL_ADDR [224.0.0.0/8,225.0.0.0/8,226.0.0.0/8,227.0.0.0/8,228.0.0.0/8,229.0.0.0/8,230.0.0.0/8,231.0.0.0/8,232.0.0.0/8,233.0.0.0/8,234.0.0.0/8,235.0.0.0/8,236.0.0.0/8,236.0.0.0/8,237.0.0.0/8,238.0.0.0/8,239.0.0.0/8]
Or we could play a bit at the binary level and display all the network blocks above as just one:
ipvar SPECIAL_ADDR [224.0.0.0/4]
There are also others that might be worth mentioning or added to a monitoring delpoyment. An analyst can probably find this information about specially assigned IPs really usefull.
# Shared Address Space [RFC6598].
100.64.0.0/10
# IANA IPv4 Special Purpose Address Registry [RFC5736].
192.0.0.0/24
# TEST-NET-1 [RFC5737].
192.0.2.0/24
# 6to4 Relay Anycast [RFC3068]
192.88.99.0/24
# 6a44 Relay Anycast [RFC6751]
192.88.99.2/32
# Network Interconnect Device Benchmark Testing [RFC2544].
198.18.0.0/15
# TEST-NET-2 [RFC5737].
198.51.100.0/24
# TEST-NET-3 [RFC5737]
203.0.113.0/24
# Simple Service Discovery Protocol address
239.255.255.250
External network addresses are those that beyond our home network. These are all network addresses out there, except the ones defined above.
ipvar EXTERNAL_NET !$HOME_NET
Resources
- http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
- https://tools.ietf.org/html/rfc1918
- http://en.wikipedia.org/wiki/Multicast_address