Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Rules problem on dual nic vpn server...

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Mon, 24 Jun 2002 08:16:32 +0200
Hi Bryce,

try using HOME_NET 192.168.0.224/27 since 192.168.0.235 is no subnet but a
node address which could confuse the tcp/ip stack.

But remember: Then HOME_NET is holding 192.168.0.225 - .254 which might be
not what you want. To get around that you will have to put in all the
addresses one by one like in

var HOME_NET [192.168.0.235/32,192.168.0.236/32]

which can result in performance loss so you should take a look on the snort
statistics about dropped packets (don't know how to get them on Windoze,
sorry)

HTH,
Sandro


Hi All,

I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers.
It runs perfectly fine on a single nic server just running 
one rules file
(local.rules).
I've placed the same setup on our VPN server (Microsoft 
vpn/pptp setup).
There are two nic's - the external one is no good for 
scanning as everything
across it is already encrypted. 
So I'm running snort looking at the internal nic.
It's IP address 192.168.0.6
When vpn clients connect they get an IP address in the range of
192.168.0.235 thru 192.168.0.253

I set my $HOME_NET to be 192.168.0.235/27 (closest I can get 
to match above
range).
My $EXTERNAL_NET is set to 'any'.

But the rules that work on first server don't work on this 
server when the
same data is sent across.  If I run snort just doing binary 
logging and then
view it packet headers that should trigger look like:

06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800
len:0xA8
192.168.0.239:4364 -> 192.168.0.1:139 TCP TTL:127 TOS:0x0 
ID:21386 IpLen:20
DgmLen:154 DF
***AP*** Seq: 0x111CFA70  Ack: 0x376DF253  Win: 0x4094  TcpLen: 20

OR

06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800
len:0x1CE
192.168.0.1:139 -> 192.168.0.239:4364 TCP TTL:128 TOS:0x0 
ID:5152 IpLen:20
DgmLen:448 DF
***AP*** Seq: 0x376DEE77  Ack: 0x111CF814  Win: 0x2530  TcpLen: 20

The rule I expected to be triggered looks like this:
alert tcp any any <> any any (msg:"Directory listing via 
tcp"; content:
"Directory of "; nocase; flags: AP; 
classtype:attempted-admin; priority:10;)

Can anyone point me in the right direction please.  Do I have to do
something special to get this happening with vpn servers - 
especially since
local nic's IP doesn't match or appear to be used when 
looking at captured
packets?  I've tried all sorts of combinations and simplified 
the rule down
to 'any any' types.

Thanks for any help.

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce () hrnz co nz


CAUTION: This email message and accompanying data may contain 
information
that is confidential and subject to legal privilege. If you 
are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is 
prohibited. If you have
received this email message in error please notify us 
immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to 
the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to 
any course of
action and are not intended to impose any legal obligation upon HRNZ.




-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: