Re: strongSwan ipsec bruteforce

[Dmitry Korzhevin <dmitry.korzhevin () stidia com>]

I forgot to mention, that ipsec using ports 500 UDP and 4500 UDP

04.11.2012 01:48, Dmitry Korzhevin пишет:
> Hello guys!
>
> Please advice, what rules should i use with snort, to detect bruteforce
> to ipsec server - strongswan (charon IKEv1/IKEv2 daemon)?
>
> In /var/log/charon.log i see:
>
> Nov  3 23:33:36 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:33:36 03[ENC] header could not be parsed
> Nov  3 23:33:36 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  3 23:38:52 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:38:52 03[ENC] header could not be parsed
> Nov  3 23:38:52 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  3 23:44:07 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:44:07 03[ENC] header could not be parsed
> Nov  3 23:44:07 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  3 23:49:23 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:49:23 03[ENC] header could not be parsed
> Nov  3 23:49:23 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  3 23:54:38 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:54:38 03[ENC] header could not be parsed
> Nov  3 23:54:38 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  3 23:59:54 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  3 23:59:54 03[ENC] header could not be parsed
> Nov  3 23:59:54 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:05:10 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:05:10 03[ENC] header could not be parsed
> Nov  4 00:05:10 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:10:26 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:10:26 03[ENC] header could not be parsed
> Nov  4 00:10:26 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:15:42 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:15:42 03[ENC] header could not be parsed
> Nov  4 00:15:42 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:20:58 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:20:58 03[ENC] header could not be parsed
> Nov  4 00:20:58 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:26:13 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:26:13 03[ENC] header could not be parsed
> Nov  4 00:26:13 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:31:29 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:31:29 03[ENC] header could not be parsed
> Nov  4 00:31:29 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:36:45 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:36:45 03[ENC] header could not be parsed
> Nov  4 00:36:45 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
> Nov  4 00:42:01 03[ENC]   not enough input to parse rule 0 IKE_SPI
> Nov  4 00:42:01 03[ENC] header could not be parsed
> Nov  4 00:42:01 03[NET] received invalid IKE header from 208.94.147.100
> - ignored
>
>
> Best Regards,
> Dmitry
>
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
>
> e: dmitry.korzhevin () stidia com
> m: +38 093 874 5453
> w: http://www.stidia.com
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin () stidia com
m: +38 093 874 5453
w: http://www.stidia.com

Attachment: smime.p7s
Description: Криптографическая подпись S/MIME

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!