Snort mailing list archives
AW: Rules problem on dual nic vpn server...
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Mon, 24 Jun 2002 08:16:32 +0200
Hi Bryce, try using HOME_NET 192.168.0.224/27 since 192.168.0.235 is no subnet but a node address which could confuse the tcp/ip stack. But remember: Then HOME_NET is holding 192.168.0.225 - .254 which might be not what you want. To get around that you will have to put in all the addresses one by one like in var HOME_NET [192.168.0.235/32,192.168.0.236/32] which can result in performance loss so you should take a look on the snort statistics about dropped packets (don't know how to get them on Windoze, sorry) HTH, Sandro
Hi All, I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers. It runs perfectly fine on a single nic server just running one rules file (local.rules). I've placed the same setup on our VPN server (Microsoft vpn/pptp setup). There are two nic's - the external one is no good for scanning as everything across it is already encrypted. So I'm running snort looking at the internal nic. It's IP address 192.168.0.6 When vpn clients connect they get an IP address in the range of 192.168.0.235 thru 192.168.0.253 I set my $HOME_NET to be 192.168.0.235/27 (closest I can get to match above range). My $EXTERNAL_NET is set to 'any'. But the rules that work on first server don't work on this server when the same data is sent across. If I run snort just doing binary logging and then view it packet headers that should trigger look like: 06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800 len:0xA8 192.168.0.239:4364 -> 192.168.0.1:139 TCP TTL:127 TOS:0x0 ID:21386 IpLen:20 DgmLen:154 DF ***AP*** Seq: 0x111CFA70 Ack: 0x376DF253 Win: 0x4094 TcpLen: 20 OR 06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800 len:0x1CE 192.168.0.1:139 -> 192.168.0.239:4364 TCP TTL:128 TOS:0x0 ID:5152 IpLen:20 DgmLen:448 DF ***AP*** Seq: 0x376DEE77 Ack: 0x111CF814 Win: 0x2530 TcpLen: 20 The rule I expected to be triggered looks like this: alert tcp any any <> any any (msg:"Directory listing via tcp"; content: "Directory of "; nocase; flags: AP; classtype:attempted-admin; priority:10;) Can anyone point me in the right direction please. Do I have to do something special to get this happening with vpn servers - especially since local nic's IP doesn't match or appear to be used when looking at captured packets? I've tried all sorts of combinations and simplified the rule down to 'any any' types. Thanks for any help. Regards, Bryce Stenberg. Harness Racing New Zealand computer department, emailto:bryce () hrnz co nz CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Rules problem on dual nic vpn server... Poppi, Sandro (Jun 23)