Snort mailing list archives
Re: GRE Rule
From: Bad Horse <b4dh0rs3 () gmail com>
Date: Tue, 6 Dec 2011 13:59:52 -0600
It may be better for you to detect this on the host and respond accordingly. OSSEC is a good HIDS offering but in this case, depending on how the PPTP server logs, it may be best to use something like Fail2Ban to monitor the PPTP logs and then firewall/block accordingly. You can even write your own script to do your denying. I am not intimate with the GRE protocol but if the data will be in plain text and you still wish to use snort, you can always just do a content match and limit the ports the rule listens on to the one(s) your PPTP server is on. Hope this helps. -Bad Horse The Thoroughbred of SYN On Sun, Dec 4, 2011 at 3:56 PM, vmpc vmpc <packetstack () gmail com> wrote:
I want to create a rule that would block anyone trying to connect to my PPTP server after being denied access once. I will be doing this using snortsam. Since the packet that contains the "Access denied" message is sent back to the PPTP client using the GRE protocol, does that mean that I can't create a rule that will alert on that packet? My understanding is that GRE is not supported at this time. Would it be possible for me to create a general rule that would look at the entire packet and just try to be very specific when it comes to content matching in order to get a match? Thanks! ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- GRE Rule vmpc vmpc (Dec 04)
- Re: GRE Rule Dina Bruzek (Dec 05)
- Re: GRE Rule PS (Dec 04)
- Re: GRE Rule Joel Esler (Dec 05)
- Re: GRE Rule PS (Dec 04)
- Re: GRE Rule Bad Horse (Dec 06)
- Re: GRE Rule Dina Bruzek (Dec 05)