[Snort-users] Rules problem on dual nic vpn server...

Bryce Stenberg bryce at ...5010...
Sun Jun 23 22:55:05 EDT 2002


Hi All,

I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers.
It runs perfectly fine on a single nic server just running one rules file
(local.rules).
I've placed the same setup on our VPN server (Microsoft vpn/pptp setup).
There are two nic's - the external one is no good for scanning as everything
across it is already encrypted. 
So I'm running snort looking at the internal nic.
It's IP address 192.168.0.6
When vpn clients connect they get an IP address in the range of
192.168.0.235 thru 192.168.0.253

I set my $HOME_NET to be 192.168.0.235/27 (closest I can get to match above
range).
My $EXTERNAL_NET is set to 'any'.

But the rules that work on first server don't work on this server when the
same data is sent across.  If I run snort just doing binary logging and then
view it packet headers that should trigger look like:

06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800
len:0xA8
192.168.0.239:4364 -> 192.168.0.1:139 TCP TTL:127 TOS:0x0 ID:21386 IpLen:20
DgmLen:154 DF
***AP*** Seq: 0x111CFA70  Ack: 0x376DF253  Win: 0x4094  TcpLen: 20

OR

06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800
len:0x1CE
192.168.0.1:139 -> 192.168.0.239:4364 TCP TTL:128 TOS:0x0 ID:5152 IpLen:20
DgmLen:448 DF
***AP*** Seq: 0x376DEE77  Ack: 0x111CF814  Win: 0x2530  TcpLen: 20

The rule I expected to be triggered looks like this:
alert tcp any any <> any any (msg:"Directory listing via tcp"; content:
"Directory of "; nocase; flags: AP; classtype:attempted-admin; priority:10;)

Can anyone point me in the right direction please.  Do I have to do
something special to get this happening with vpn servers - especially since
local nic's IP doesn't match or appear to be used when looking at captured
packets?  I've tried all sorts of combinations and simplified the rule down
to 'any any' types.

Thanks for any help.

Regards,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce at ...5010...


CAUTION: This email message and accompanying data may contain information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error please notify us immediately and erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of
action and are not intended to impose any legal obligation upon HRNZ.






More information about the Snort-users mailing list