Re: Snort and OpenVPN

[Dmitry Korzhevin <dmitry.korzhevin () stidia com>]

Hi,

I will answer, as I am topicstarter ;)

I use Snort Version 2.9.5.6 GRE (Build 208) on Debian 6 x86_64

Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7

Sample output of snort -dev -i tun0:

http://dpaste.com/1585135/

And output with -k none:

http://dpaste.com/1585136/



04.02.2014 15:07, rmkml пишет:
> Hi Kevin,
>
> What's snort version you use please ?
>
> What's ouptut when you run snort with: snort -dev -i tun0 ?
>
> Could you test by adding "-k none" on snort cmd line please ?
>
> Regards
> @Rmkml
>
>
>
> On Tue, 4 Feb 2014, Dmitry Korzhevin wrote:
>
> > Hi, Kevin
> >
> > This is same server. So, snort and openvpn(server part) is installed
> > at once. When i run snort like:
> >
> > 'snort -dev -i tun0' i see unencrypted traffic, because this server is
> > endpoint of openvpn and users internal ip's fomr openvpn subnet. But,
> > with current config i can't see any info from openvpn intefaces (tun*)
> > in my database/web frontend - snorby.
> >
> > Seems something wrong with my config (snort.conf)..
> >
> >
> >
> > 04.02.2014 14:44, Kevin Ross ?????:
> > > Without knowing your setup I imagine you are trying to have snort
> > > inspect encrypted VPN traffic which it cannot do. I would suggest
> > > playing Snort to detect traffic on interfaces that the traffic must pass
> > > through when on your internal network and it is unencrypted (i.e in a
> > > typical enterprise deployment this would be somewhere behind the VPN
> > > concentrator before it is encrypted or after it is decrypted).
> > >
> > > Regards,
> > > Kevin
> > >
> > >
> > > On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin () stidia com
> > > <mailto:dmitry.korzhevin () stidia com>> wrote:
> > >
> > >     Hi, Please, advice - what i did wrong with configuration of my snort
> > >     install - i can't see any openvpn traffic with my current snort
> > >     config, thru i can see regular traffic, pptp, ipsec.
> > >
> > >     Snort installed on one server together with openvpn, openvpn has 3
> > >     interfaces: tun0, tun1, tun2.
> > >
> > >     If i run snort manually and use tun* as parameter for interface - it
> > >     works, and i can see traffic in console.
> > >
> > >     i.e.:  snort -dev -i tun0
> > >
> > >     Maby some problems with configuration of interfaces?
> > >
> > >     My current config:
> > >
> > >     # Setup the network addresses you are protecting
> > >     ipvar HOME_NET any
> > >
> > >     # Set up the external network addresses. Leave as "any" in most
> > >     situations
> > >     ipvar EXTERNAL_NET any
> > >
> > >     Whole snort.conf:
> > >
> > >     http://paste.debian.net/plain/__80076
> > >     <http://paste.debian.net/plain/80076>
> > >
> > >
> > >
> > >
> > >     Best Regards,
> > >     Dmitry
> > >
> > >     ---
> > >     Dmitry KORZHEVIN
> > >     System Administrator
> > >     STIDIA S.A. - Luxembourg
> > >
> > >     e: dmitry.korzhevin () stidia com <mailto:dmitry.korzhevin () stidia com>
> > >     m: +38 093 874 5453 <tel:%2B38%20093%20874%205453>
> > >     w: http://www.stidia.com
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > >
> > >     Managing the Performance of Cloud-Based Applications
> > >     Take advantage of what the Cloud has to offer - Avoid Common
> > > Pitfalls.
> > >     Read the Whitepaper.
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> > >
> > >     _______________________________________________
> > >     Snort-users mailing list
> > >     Snort-users () lists sourceforge net
> > >     <mailto:Snort-users () lists sourceforge net>
> > >     Go to this URL to change user options or unsubscribe:
> > >     https://lists.sourceforge.net/lists/listinfo/snort-users
> > >     Snort-users list archive:
> > >     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > >     Please visit http://blog.snort.org to stay current on all the latest
> > >     Snort news!
> >
> > Best Regards,
> > Dmitry
> >
> > ---
> > Dmitry KORZHEVIN
> > System Administrator
> > STIDIA S.A. - Luxembourg
> >
> > e: dmitry.korzhevin () stidia com
> > m: +38 093 874 5453
> > w: http://www.stidia.com

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin () stidia com
m: +38 093 874 5453
w: http://www.stidia.com

Attachment: smime.p7s
Description: Криптографическая подпись S/MIME

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!