Re: VPN and UDP alerts

[Neil Dickey <neil () geol niu edu>]

"Allan Dover" <allan () iiwishiv com> wrote:

> Thanks for the advice, I will try it.  This may seem like a stupid question,
> should I be concerned that I am putting an internet address in my local file
>
> Example:
>
> var VPN-NET1 64.42.55.212  ( Made it up )

According to my reading of the manual that shouldn't cause a problem, though
my habit is to define all my variables in a central place -- snort.conf.  Just
be sure the "var" statement is read before your "pass" rule.  If $VPN-NET1 only
contains one IP, I wouldn't use a variable.  I'd just put the IP in its place
in the rule and reduce the overhead.

Now, ...

> pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
                                     ^^^^^^^^^^^^
... I'm not sure what you're doing here.  Is 192.168.1.61 part of your HOME_NET,
or is it external to it?  If you're entering more than one address on the right-
hand-side, then it's necessary to use square brackets, comma delimiters, and no
spaces, as:

  [$HOME_NET,192.168.1.61]

Also, there needs to be a port designation after the addresses on the RHS, so
the whole rule would look like this:

  pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any

The port designation can be a single port number ( e.g. 500 ), as it is on the
LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any" to
signify that all ports match.

> This will only not log on internal address going to specific destination, so
> if someboby were to create a scan tool or some other nasty device, I would
> get flagged again on different IP's.

The pass rule we have written here will not affect detection of TCP traffic
between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 . UDP
traffic which did not originate from any of these IPS would still be alerted,
as would any UDP traffic originating from $VPN-NET1 on some port other than
500 .

The rule, as now written, will pass without alerting all UDP traffic
originating on $VPN-NET1, port 500, and bound for any port on any machine in
$HOME_NET or 192.168.1.61 .  It will also pass all UDP traffic originating on
$HOME_NET and 192.168.1.61, from any port, and bound for port 500 on $VPN-NET1.
Everything else still gets alerted.

> This makes sense to me, look logical ?

If what I've just described is what you want to do, it should work fine.

Let me know how it turns out.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users