Snort mailing list archives
Re: VPN and UDP alerts
From: "Allan Dover" <allan () redwoods ca>
Date: Tue, 29 Apr 2003 10:05:04 -0400
Hey Neil, I am still getting alerts from that vpn server on the internet. When I emailed yesterday, the user had left, right when I applied the rule. This morning its back. This is what I have done in snort.conf where DNS and mail variables are defined i added: # External VPN Server var VPN_NET 139.56.2.13 In local.rules i did the following: pass udp $VPN_NET 500 <> 192.168.1.61 any I also modified my startup script with -o option. Any Ideas ? Allan Dover Systems Administrator <mailto:allan () iiwishiv com> <http://www.iiwishiv.com> ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. ----- Original Message ----- From: "Neil Dickey" <neil () geol niu edu> To: <allan () iiwishiv com> Cc: <snort-users () lists sourceforge net> Sent: Friday, April 25, 2003 5:11 PM Subject: Re: [Snort-users] VPN and UDP alerts
"Allan Dover" <allan () iiwishiv com> wrote:Thanks for the advice, I will try it. This may seem like a stupid
question,
should I be concerned that I am putting an internet address in my local
file
Example: var VPN-NET1 64.42.55.212 ( Made it up )According to my reading of the manual that shouldn't cause a problem,
though
my habit is to define all my variables in a central place -- snort.conf.
Just
be sure the "var" statement is read before your "pass" rule. If $VPN-NET1
only
contains one IP, I wouldn't use a variable. I'd just put the IP in its
place
in the rule and reduce the overhead. Now, ...pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61^^^^^^^^^^^^ ... I'm not sure what you're doing here. Is 192.168.1.61 part of your
HOME_NET,
or is it external to it? If you're entering more than one address on the
right-
hand-side, then it's necessary to use square brackets, comma delimiters,
and no
spaces, as: [$HOME_NET,192.168.1.61] Also, there needs to be a port designation after the addresses on the RHS,
so
the whole rule would look like this: pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any The port designation can be a single port number ( e.g. 500 ), as it is on
the
LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"
to
signify that all ports match.This will only not log on internal address going to specific destination,
so
if someboby were to create a scan tool or some other nasty device, I
would
get flagged again on different IP's.The pass rule we have written here will not affect detection of TCP
traffic
between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 .
UDP
traffic which did not originate from any of these IPS would still be
alerted,
as would any UDP traffic originating from $VPN-NET1 on some port other
than
500 . The rule, as now written, will pass without alerting all UDP traffic originating on $VPN-NET1, port 500, and bound for any port on any machine
in
$HOME_NET or 192.168.1.61 . It will also pass all UDP traffic originating
on
$HOME_NET and 192.168.1.61, from any port, and bound for port 500 on
$VPN-NET1.
Everything else still gets alerted.This makes sense to me, look logical ?If what I've just described is what you want to do, it should work fine. Let me know how it turns out. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Promiscuous interface hacks?, (continued)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)