Snort mailing list archives
Re: VPN Users
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sun, 16 May 2010 13:02:00 +1200
On 05/15/2010 02:31 AM, Stephen Mullins wrote:
Typically this is what you use a SIM tool for. That way you can check what user was assigned what translated VPN IP address at the time that traffic involving that IP triggered the IDS alert by looking for Windows/VPN logs around the time of the alert.
You are so right. VPN users are an absolute pain - especially since a lot of VPN software (eg openvpn and cisco concentrators) contiunally re-use IP addresses. ie hostA logs in and is assigned IP-1, logs out and two seconds later hostB logs in and is assigned IP-1. If you have the option, save yourself some grief and use DHCP!!! Anyway, typically the VPN server won't be logging the client hostname, so you have to rely on either triggering your own scripts to detect the client hostname, or use logs from other sources (eg if the host is in your Active Directory, then your domain controllers will log that host registering itself with the domain. Won't work for non-Windows or non-domain hosts of course) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VPN Users Bill Pickens (May 14)
- Re: VPN Users Stephen Mullins (May 14)
- Re: VPN Users Jason Haar (May 15)
- Re: VPN Users Stephen Mullins (May 14)