Re: pptp logging

[Brian <bmc () snort org>]

On Wed, Feb 19, 2003 at 12:54:51AM -0800, khaled bastaki wrote:
> hi all
> I'm new to this snort mail list.
> can anyone please help me in defining a rule for
> detecting pptp connections as they take place, id like
> to know when a connection takes place, and from where
> its happening.

Actually, I just wrote a rule for that.  I'm testing it as we speak.

Test it and let me know how it works for you.

alert tcp $HOME_NET any -> $EXTERNAL_NET 1723 (msg:"POLICY pptp setup attempt"; flow:to_server,established; 
content:"|00 01|"; offset:2; depth:2; content:"|00 01 00 00 01 00 00 00|"; offset:8; depth:8; classtype:misc-activity;)

-brian


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users