Snort mailing list archives
Re: strongSwan ipsec bruteforce
From: Dmitry Korzhevin <dmitry.korzhevin () stidia com>
Date: Sun, 04 Nov 2012 20:48:32 +0200
I forgot to mention, that ipsec using ports 500 UDP and 4500 UDP 04.11.2012 01:48, Dmitry Korzhevin пишет:
Hello guys! Please advice, what rules should i use with snort, to detect bruteforce to ipsec server - strongswan (charon IKEv1/IKEv2 daemon)? In /var/log/charon.log i see: Nov 3 23:33:36 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:33:36 03[ENC] header could not be parsed Nov 3 23:33:36 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 3 23:38:52 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:38:52 03[ENC] header could not be parsed Nov 3 23:38:52 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 3 23:44:07 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:44:07 03[ENC] header could not be parsed Nov 3 23:44:07 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 3 23:49:23 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:49:23 03[ENC] header could not be parsed Nov 3 23:49:23 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 3 23:54:38 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:54:38 03[ENC] header could not be parsed Nov 3 23:54:38 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 3 23:59:54 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 3 23:59:54 03[ENC] header could not be parsed Nov 3 23:59:54 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:05:10 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:05:10 03[ENC] header could not be parsed Nov 4 00:05:10 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:10:26 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:10:26 03[ENC] header could not be parsed Nov 4 00:10:26 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:15:42 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:15:42 03[ENC] header could not be parsed Nov 4 00:15:42 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:20:58 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:20:58 03[ENC] header could not be parsed Nov 4 00:20:58 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:26:13 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:26:13 03[ENC] header could not be parsed Nov 4 00:26:13 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:31:29 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:31:29 03[ENC] header could not be parsed Nov 4 00:31:29 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:36:45 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:36:45 03[ENC] header could not be parsed Nov 4 00:36:45 03[NET] received invalid IKE header from 208.94.147.100 - ignored Nov 4 00:42:01 03[ENC] not enough input to parse rule 0 IKE_SPI Nov 4 00:42:01 03[ENC] header could not be parsed Nov 4 00:42:01 03[NET] received invalid IKE header from 208.94.147.100 - ignored Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Attachment:
smime.p7s
Description: Криптографическая подпись S/MIME
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- strongSwan ipsec bruteforce Dmitry Korzhevin (Nov 03)
- Re: strongSwan ipsec bruteforce Dmitry Korzhevin (Nov 04)