[Snort-users] IP Question Part 2

Ian Macdonald secsnort at ...5528...
Thu Aug 8 07:17:05 EDT 2002


you might want to look into using a bpf filter. And put something like "not
net vpnrange/24"
or "not host vpn_ip"

Ian

----- Original Message -----
From: "Jim Gifford" <maillist at ...6454...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, August 08, 2002 1:16 AM
Subject: [Snort-users] IP Question Part 2


> My original question was how can I prevent my companies VPN server showing
> up
> in snort?
>
> I have added the rule
> pass tcp (inet_ip) any <> (vpn_ip) any
>
> But I still get the following message from snort.
> " spp_stream4: TTL EVASION (reassemble) detection"
>
> Here is the packet in question
>
> Generated by ACID v0.9.6b21 on Wed August 07, 2002 22:09:12
>
> --------------------------------------------------------------------------
--
> --
> #(1 - 63954) [2002-08-07 12:44:12]  spp_stream4: TTL EVASION (reassemble)
> detection
> IPv4: (inet_ip) -> (vpn_ip)
>       hlen=5 TOS=0 dlen=190 ID=43209 flags=0 offset=0 TTL=48 chksum=34589
> TCP:  port=500 -> dport: 80  flags=***AP*** seq=25559302
>       ack=83064 off=5 res=0 win=65535 urp=0 chksum=45736
> Payload:  length = 150
>
> 000 : 01 32 00 00 2C 5B 00 00 0F FA 73 6F E1 44 29 B9   .2..,[....so.D).
> 010 : 82 21 08 D1 4A C1 A0 8A 17 7F 24 0C EC 07 8F F4   .!..J....$.....
> 020 : AA DD 44 E4 BD FD 9D 07 88 D6 A7 BB CC 60 E3 D6   ..D..........`..
> 030 : D4 ED B8 F1 7C 20 A5 3D 46 EC B5 8A 07 2A 44 54   ....| .=F....*DT
> 040 : 3D DD 08 5B D0 E5 75 1A 37 97 70 6B 1C AF 1F E7   =..[..u.7.pk....
> 050 : 0D 6B 91 BB B8 4E 52 23 9C 2C 9D 81 37 C8 A1 3A   .k...NR#.,..7..:
> 060 : F5 C8 5A 21 4D D0 C6 02 3B 51 5E 8B E7 C2 E3 BF   ..Z!M...;Q^.....
> 070 : D6 63 BE 63 E8 DD 1E 7B 86 34 1F 8B 97 D8 1C AB   .c.c...{.4......
> 080 : 97 FE 28 A7 9D C9 F7 1B 18 A6 4A 4B 9B 5C E4 8A   ..(.......JK.\..
> 090 : 63 F9 78 81 4A F7                                 c.x.J.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list