Re: VPN and UDP alerts

["Allan Dover" <allan () iiwishiv com>]

Thanks for the advice, I will try it.  This may seem like a stupid question,
should I be concerned that I am putting an internet address in my local file

Example:

var VPN-NET1 64.42.55.212  ( Made it up )

pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61

This will only not log on internal address going to specific destination, so
if someboby were to create a scan tool or some other nasty device, I would
get flagged again on different IP's.

This makes sense to me, look logical ?


Allan Dover
Systems Administrator
<mailto:allan () iiwishiv com>
<http://www.iiwishiv.com>

###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.


----- Original Message -----
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
To: "'Neil Dickey'" <neil () geol niu edu>; <allan () redwoods ca>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, April 25, 2003 2:25 PM
Subject: RE: [Snort-users] VPN and UDP alerts


> if ya do this...don't forget to declare a value for $VPN-NET in snort.conf
>
> var VPN-NET x.x.x.x
>
> -----Original Message-----
> From: Neil Dickey [mailto:neil () geol niu edu]
> Sent: Friday, April 25, 2003 11:51 AM
> To: allan () redwoods ca
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] VPN and UDP alerts
>
>
>
> "Allan Dover" <allan () redwoods ca> wrote asking:
>
> > Is there a way to not alert or log UDP:500 as source ?  Would I make a
rule
> > to do this ?  I havent ventured into rule making as of yet.
>
> A "pass" rule in 'local.rules' would probably do the trick.  Something
> like ...
>
>   pass udp $VPN-NET 500 <> $HOME_NET any
>
> ... would probably do it.  Then restart Snort, and make sure you're
> using the '-o' rule on the command line.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users