Snort mailing list archives
Re: VPN and UDP alerts
From: "Allan Dover" <allan () iiwishiv com>
Date: Fri, 25 Apr 2003 15:31:34 -0400
Thanks for the advice, I will try it. This may seem like a stupid question, should I be concerned that I am putting an internet address in my local file Example: var VPN-NET1 64.42.55.212 ( Made it up ) pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61 This will only not log on internal address going to specific destination, so if someboby were to create a scan tool or some other nasty device, I would get flagged again on different IP's. This makes sense to me, look logical ? Allan Dover Systems Administrator <mailto:allan () iiwishiv com> <http://www.iiwishiv.com> ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. ----- Original Message ----- From: "Slighter, Tim" <tslighter () itc nrcs usda gov> To: "'Neil Dickey'" <neil () geol niu edu>; <allan () redwoods ca> Cc: <snort-users () lists sourceforge net> Sent: Friday, April 25, 2003 2:25 PM Subject: RE: [Snort-users] VPN and UDP alerts
if ya do this...don't forget to declare a value for $VPN-NET in snort.conf var VPN-NET x.x.x.x -----Original Message----- From: Neil Dickey [mailto:neil () geol niu edu] Sent: Friday, April 25, 2003 11:51 AM To: allan () redwoods ca Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] VPN and UDP alerts "Allan Dover" <allan () redwoods ca> wrote asking:Is there a way to not alert or log UDP:500 as source ? Would I make a
rule
to do this ? I havent ventured into rule making as of yet.A "pass" rule in 'local.rules' would probably do the trick. Something like ... pass udp $VPN-NET 500 <> $HOME_NET any ... would probably do it. Then restart Snort, and make sure you're using the '-o' rule on the command line. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Promiscuous interface hacks?, (continued)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)