Snort mailing list archives
strongSwan ipsec bruteforce
From: Dmitry Korzhevin <dmitry.korzhevin () stidia com>
Date: Sun, 04 Nov 2012 01:48:57 +0200
Hello guys!Please advice, what rules should i use with snort, to detect bruteforce to ipsec server - strongswan (charon IKEv1/IKEv2 daemon)?
In /var/log/charon.log i see: Nov 3 23:33:36 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:33:36 03[ENC] header could not be parsedNov 3 23:33:36 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 3 23:38:52 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:38:52 03[ENC] header could not be parsedNov 3 23:38:52 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 3 23:44:07 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:44:07 03[ENC] header could not be parsedNov 3 23:44:07 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 3 23:49:23 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:49:23 03[ENC] header could not be parsedNov 3 23:49:23 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 3 23:54:38 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:54:38 03[ENC] header could not be parsedNov 3 23:54:38 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 3 23:59:54 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:59:54 03[ENC] header could not be parsedNov 3 23:59:54 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:05:10 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:05:10 03[ENC] header could not be parsedNov 4 00:05:10 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:10:26 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:10:26 03[ENC] header could not be parsedNov 4 00:10:26 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:15:42 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:15:42 03[ENC] header could not be parsedNov 4 00:15:42 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:20:58 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:20:58 03[ENC] header could not be parsedNov 4 00:20:58 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:26:13 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:26:13 03[ENC] header could not be parsedNov 4 00:26:13 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:31:29 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:31:29 03[ENC] header could not be parsedNov 4 00:31:29 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:36:45 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:36:45 03[ENC] header could not be parsedNov 4 00:36:45 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Nov 4 00:42:01 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:42:01 03[ENC] header could not be parsedNov 4 00:42:01 03[NET] received invalid IKE header from 208.94.147.100 - ignored
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Attachment:
smime.p7s
Description: Криптографическая подпись S/MIME
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- strongSwan ipsec bruteforce Dmitry Korzhevin (Nov 03)
- Re: strongSwan ipsec bruteforce Dmitry Korzhevin (Nov 04)