Snort mailing list archives
Re: VPN and UDP alerts
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 25 Apr 2003 16:11:11 -0500 (CDT)
"Allan Dover" <allan () iiwishiv com> wrote:
Thanks for the advice, I will try it. This may seem like a stupid question, should I be concerned that I am putting an internet address in my local file Example: var VPN-NET1 64.42.55.212 ( Made it up )
According to my reading of the manual that shouldn't cause a problem, though my habit is to define all my variables in a central place -- snort.conf. Just be sure the "var" statement is read before your "pass" rule. If $VPN-NET1 only contains one IP, I wouldn't use a variable. I'd just put the IP in its place in the rule and reduce the overhead. Now, ...
pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
^^^^^^^^^^^^ ... I'm not sure what you're doing here. Is 192.168.1.61 part of your HOME_NET, or is it external to it? If you're entering more than one address on the right- hand-side, then it's necessary to use square brackets, comma delimiters, and no spaces, as: [$HOME_NET,192.168.1.61] Also, there needs to be a port designation after the addresses on the RHS, so the whole rule would look like this: pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any The port designation can be a single port number ( e.g. 500 ), as it is on the LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any" to signify that all ports match.
This will only not log on internal address going to specific destination, so if someboby were to create a scan tool or some other nasty device, I would get flagged again on different IP's.
The pass rule we have written here will not affect detection of TCP traffic between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 . UDP traffic which did not originate from any of these IPS would still be alerted, as would any UDP traffic originating from $VPN-NET1 on some port other than 500 . The rule, as now written, will pass without alerting all UDP traffic originating on $VPN-NET1, port 500, and bound for any port on any machine in $HOME_NET or 192.168.1.61 . It will also pass all UDP traffic originating on $HOME_NET and 192.168.1.61, from any port, and bound for port 500 on $VPN-NET1. Everything else still gets alerted.
This makes sense to me, look logical ?
If what I've just described is what you want to do, it should work fine. Let me know how it turns out. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Promiscuous interface hacks?, (continued)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 01)
- Re: Promiscuous interface hacks? Matt Kettler (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: Promiscuous interface hacks? Frank Knobbe (May 01)
- Re: Promiscuous interface hacks? Paul Schmehl (May 02)
- Re: VPN and UDP alerts Allan Dover (Apr 28)
- Re: VPN and UDP alerts Allan Dover (Apr 29)