[Snort-users] VPN traffic

Bob Van Cleef vancleef at ...211...
Tue Aug 1 17:20:04 EDT 2000


I'm running a test of some VPN boxes from www.netscreen.com

I want to monitor all/any traffic going to/from these boxes,
so I added rules:

alert UDP 192.86.6.10/32 any -> any any (msg: "NS10 Outbound Traffic"; )
alert UDP any any -> 192.86.6.10/32 any (msg: "NS10 Inbound Traffic"; )

alert TCP 192.86.6.10/32 any -> any any (msg: "NS10 Outbound Traffic"; )   
alert TCP any any -> 192.86.6.10/32 any (msg: "NS10 Inbound Traffic"; ) 

alert ICMP 192.86.6.10/32 any -> any any (msg: "NS10 Outbound Traffic"; )   
alert ICMP any any -> 192.86.6.10/32 any (msg: "NS10 Inbound Traffic"; ) 

Two questions:

 - Is there a way to say "any" for the protocol?

 - The VPN traffic is not logged, what protocol does it use?

Bob
-- 
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...






More information about the Snort-users mailing list