Snort mailing list archives
Re: Snort and OpenVPN
From: Dmitry Korzhevin <dmitry.korzhevin () stidia com>
Date: Tue, 04 Feb 2014 15:22:53 +0200
Hi, I will answer, as I am topicstarter ;) I use Snort Version 2.9.5.6 GRE (Build 208) on Debian 6 x86_64 Using libpcap version 1.3.0 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.7 Sample output of snort -dev -i tun0: http://dpaste.com/1585135/ And output with -k none: http://dpaste.com/1585136/ 04.02.2014 15:07, rmkml пишет:
Hi Kevin, What's snort version you use please ? What's ouptut when you run snort with: snort -dev -i tun0 ? Could you test by adding "-k none" on snort cmd line please ? Regards @Rmkml On Tue, 4 Feb 2014, Dmitry Korzhevin wrote:Hi, Kevin This is same server. So, snort and openvpn(server part) is installed at once. When i run snort like: 'snort -dev -i tun0' i see unencrypted traffic, because this server is endpoint of openvpn and users internal ip's fomr openvpn subnet. But, with current config i can't see any info from openvpn intefaces (tun*) in my database/web frontend - snorby. Seems something wrong with my config (snort.conf).. 04.02.2014 14:44, Kevin Ross ?????:Without knowing your setup I imagine you are trying to have snort inspect encrypted VPN traffic which it cannot do. I would suggest playing Snort to detect traffic on interfaces that the traffic must pass through when on your internal network and it is unencrypted (i.e in a typical enterprise deployment this would be somewhere behind the VPN concentrator before it is encrypted or after it is decrypted). Regards, Kevin On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin () stidia com <mailto:dmitry.korzhevin () stidia com>> wrote: Hi, Please, advice - what i did wrong with configuration of my snort install - i can't see any openvpn traffic with my current snort config, thru i can see regular traffic, pptp, ipsec. Snort installed on one server together with openvpn, openvpn has 3 interfaces: tun0, tun1, tun2. If i run snort manually and use tun* as parameter for interface - it works, and i can see traffic in console. i.e.: snort -dev -i tun0 Maby some problems with configuration of interfaces? My current config: # Setup the network addresses you are protecting ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any Whole snort.conf: http://paste.debian.net/plain/__80076 <http://paste.debian.net/plain/80076> Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com <mailto:dmitry.korzhevin () stidia com> m: +38 093 874 5453 <tel:%2B38%20093%20874%205453> w: http://www.stidia.com ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Attachment:
smime.p7s
Description: Криптографическая подпись S/MIME
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and OpenVPN Dmitry Korzhevin (Feb 04)
- Re: Snort and OpenVPN Kevin Ross (Feb 04)
- Re: Snort and OpenVPN Dmitry Korzhevin (Feb 04)
- Message not available
- Re: Snort and OpenVPN Dmitry Korzhevin (Feb 04)
- Re: Snort and OpenVPN Dmitry Korzhevin (Feb 04)
- Re: Snort and OpenVPN Kevin Ross (Feb 04)