[Snort-users] VPN traffic

Tom Whipp twhipp at ...63...
Thu Aug 3 04:33:46 EDT 2000


Just to chip in, what I think would be very useful is the ability to pass
parameters to included configuration files. I currently have an audit file
that I include when debugging hosts (basically six rules to log any traffic
inbound or outbound) but whenever I use it I have to edit the variable at
the top (and I'm not clear if I can include it multiple times without
changing the variable name).

What I would really like to do is something like:

include audit_host.rul xxx.xxx.xxx.xxx/32

I can also see this being very useful for monitoring multiple subnets
(particually if you could pass multiple args).

Mind you I suspect this would be a lot of work and I haven't looked at the
config parsing code yet.

any thoughts?

	Tom

PS:
If you do implement an any protocol, would that enable snort to log
protocols which it doesn't understand or would any be a synonym for
icmp|upd|tcp?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Pennington
Sent: 02 August 2000 22:28
To: fyodor at ...123...
Cc: Bob Van Cleef; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] VPN traffic


I would vote for an any option. There are times when I want to watch
everything from or to a certain place.

Fyodor wrote:
>
> ~ :alert ICMP 192.86.6.10/32 any -> any any (msg: "NS10 Outbound
Traffic"; )
> ~ :alert ICMP any any -> 192.86.6.10/32 any (msg: "NS10 Inbound
Traffic"; )
> ~ :
> ~ :Two questions:
> ~ :
> ~ : - Is there a way to say "any" for the protocol?
> ~ :
>
> if there's a real need in that, it could be implemented (not really sooon
> though, I've got around 4 snort-related tasks pending in my todo list:))
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list