RE: PPTP and Cisco IPSEC

["Paul Melson" <pmelson () gmail com>]

The Sourcefire rules policy.rules file includes signatures for PPTP.

As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation
packets like this:

alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN
Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;)

alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1
Traffic"; classtype: attempted-admin; sid:1234002; rev:1;)

This would trigger on all phase 1 packets though.  To do it right you'd want
to build some content: fields for each signature based on some packet
captures.

PaulM


________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron Jenkins
Sent: Tuesday, September 13, 2005 3:32 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] PPTP and Cisco IPSEC



Are there any rules written to detect when a VPN PPTP and IPSEC connected
being made to a Cisco Pix?

 

Thanks.

 

Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
Senior Architect
Data Integrity, LLC
"We Integrate People with Solutions"
1724 Dallas Drive
Suite 11
Baton Rouge, La 70806
Office. 225.927.8030
Fax. 225.927.8033
Cell225.931.1632

Email. rjenkins () dibr net
Web. http://www.dibr.net

(Aanval Reseller and Technology Partner)

http://www.aanval.com/tour/dibr

 




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users