Snort mailing list archives
Re: PPTP and Cisco IPSEC
From: Murali Raju <protocoljunkie () gmail com>
Date: Tue, 13 Sep 2005 19:37:05 -0400
Also the snort_decoder fires alerts on strange UDP traffic (later confirmed as IPSec) that I was able track down using SGUIL. This helped identify policy violations, such as terminating IPSec tunnels within your internal network from remote users (Firewall misconfiguration). Cheers. _Raju On 9/13/05, Paul Melson <pmelson () gmail com> wrote:
The Sourcefire rules policy.rules file includes signatures for PPTP. As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation packets like this: alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;) alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1 Traffic"; classtype: attempted-admin; sid:1234002; rev:1;) This would trigger on all phase 1 packets though. To do it right you'd want to build some content: fields for each signature based on some packet captures. PaulM ________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron Jenkins Sent: Tuesday, September 13, 2005 3:32 PM To: snort-users () lists sourceforge net Subject: [Snort-users] PPTP and Cisco IPSEC Are there any rules written to detect when a VPN PPTP and IPSEC connected being made to a Cisco Pix? Thanks. Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA) Senior Architect Data Integrity, LLC "We Integrate People with Solutions" 1724 Dallas Drive Suite 11 Baton Rouge, La 70806 Office. 225.927.8030 Fax. 225.927.8033 Cell225.931.1632 Email. rjenkins () dibr net Web. http://www.dibr.net (Aanval Reseller and Technology Partner) http://www.aanval.com/tour/dibr ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- May the packets be with you. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PPTP and Cisco IPSEC Ron Jenkins (Sep 13)
- <Possible follow-ups>
- RE: PPTP and Cisco IPSEC Paul Melson (Sep 13)
- Re: PPTP and Cisco IPSEC Murali Raju (Sep 13)