Snort mailing list archives
RE: VPN and UDP alerts
From: SRH-Lists <giermo () 333tech com>
Date: Tue, 29 Apr 2003 09:41:28 -0500
I am still getting alerts from that vpn server on the internet. When I emailed yesterday, the user had left, right when I applied the rule. This morning its back. This is what I have done in snort.conf where DNS and mail variables are defined i added: # External VPN Server var VPN_NET 139.56.2.13 In local.rules i did the following: pass udp $VPN_NET 500 <> 192.168.1.61 any
Unless that 192.168.1.61 address you have in this rule is just a placeholder to obfuscate the real address, you will never see traffic like this. Unless the sensor is inside your firewall and the firewall is natting for the vpn client. Either way, try this: pass udp $VPN_NET 500 <> any any -steve ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Promiscuous interface hacks?, (continued)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)