Snort mailing list archives
Re: IP Question Part 2
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Thu, 8 Aug 2002 10:16:48 -0400
you might want to look into using a bpf filter. And put something like "not net vpnrange/24" or "not host vpn_ip" Ian ----- Original Message ----- From: "Jim Gifford" <maillist () jg555 com> To: <snort-users () lists sourceforge net> Sent: Thursday, August 08, 2002 1:16 AM Subject: [Snort-users] IP Question Part 2
My original question was how can I prevent my companies VPN server showing up in snort? I have added the rule pass tcp (inet_ip) any <> (vpn_ip) any But I still get the following message from snort. " spp_stream4: TTL EVASION (reassemble) detection" Here is the packet in question Generated by ACID v0.9.6b21 on Wed August 07, 2002 22:09:12 --------------------------------------------------------------------------
--
-- #(1 - 63954) [2002-08-07 12:44:12] spp_stream4: TTL EVASION (reassemble) detection IPv4: (inet_ip) -> (vpn_ip) hlen=5 TOS=0 dlen=190 ID=43209 flags=0 offset=0 TTL=48 chksum=34589 TCP: port=500 -> dport: 80 flags=***AP*** seq=25559302 ack=83064 off=5 res=0 win=65535 urp=0 chksum=45736 Payload: length = 150 000 : 01 32 00 00 2C 5B 00 00 0F FA 73 6F E1 44 29 B9 .2..,[....so.D). 010 : 82 21 08 D1 4A C1 A0 8A 17 7F 24 0C EC 07 8F F4 .!..J....$..... 020 : AA DD 44 E4 BD FD 9D 07 88 D6 A7 BB CC 60 E3 D6 ..D..........`.. 030 : D4 ED B8 F1 7C 20 A5 3D 46 EC B5 8A 07 2A 44 54 ....| .=F....*DT 040 : 3D DD 08 5B D0 E5 75 1A 37 97 70 6B 1C AF 1F E7 =..[..u.7.pk.... 050 : 0D 6B 91 BB B8 4E 52 23 9C 2C 9D 81 37 C8 A1 3A .k...NR#.,..7..: 060 : F5 C8 5A 21 4D D0 C6 02 3B 51 5E 8B E7 C2 E3 BF ..Z!M...;Q^..... 070 : D6 63 BE 63 E8 DD 1E 7B 86 34 1F 8B 97 D8 1C AB .c.c...{.4...... 080 : 97 FE 28 A7 9D C9 F7 1B 18 A6 4A 4B 9B 5C E4 8A ..(.......JK.\.. 090 : 63 F9 78 81 4A F7 c.x.J. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP Question Part 2 Jim Gifford (Aug 07)
- Re: IP Question Part 2 Ian Macdonald (Aug 08)
- <Possible follow-ups>
- RE: IP Question Part 2 Wirth, Jeff (Aug 08)