[Snort-sigs] GRE Rule

Bad Horse b4dh0rs3 at ...2420...
Tue Dec 6 14:59:52 EST 2011


It may be better for you to detect this on the host and respond
accordingly.  OSSEC is a good HIDS offering but in this case, depending on
how the PPTP server logs, it may be best to use something like Fail2Ban to
monitor the PPTP logs and then firewall/block accordingly.  You can even
write your own script to do your denying.

I am not intimate with the GRE protocol but if the data will be in plain
text and you still wish to use snort, you can always just do a content
match and limit the ports the rule listens on to the one(s) your PPTP
server is on.

Hope this helps.

-Bad Horse
 The Thoroughbred of SYN

On Sun, Dec 4, 2011 at 3:56 PM, vmpc vmpc <packetstack at ...2420...> wrote:

> I want to create a rule that would block anyone trying to connect to my
> PPTP server after being denied access once. I will be doing this using
> snortsam. Since the packet that contains the  "Access denied" message is
> sent back to the PPTP client using the GRE protocol, does that mean that I
> can't create a rule that will alert on that packet? My understanding is
> that GRE is not supported at this time. Would it be possible for me to
> create a general rule that would look at the entire packet and just try to
> be very specific when it comes to content matching in order to get a match?
>
> Thanks!
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111206/ccbcd9cf/attachment.html>


More information about the Snort-sigs mailing list