AW: [Snort-users] Rules problem on dual nic vpn server...

Poppi, Sandro Sandro.Poppi at ...3316...
Sun Jun 23 23:18:02 EDT 2002

Hi Bryce,

try using HOME_NET since is no subnet but a
node address which could confuse the tcp/ip stack.

But remember: Then HOME_NET is holding - .254 which might be
not what you want. To get around that you will have to put in all the
addresses one by one like in

var HOME_NET [,]

which can result in performance loss so you should take a look on the snort
statistics about dropped packets (don't know how to get them on Windoze,

> Hi All,
> I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers.
> It runs perfectly fine on a single nic server just running 
> one rules file
> (local.rules).
> I've placed the same setup on our VPN server (Microsoft 
> vpn/pptp setup).
> There are two nic's - the external one is no good for 
> scanning as everything
> across it is already encrypted. 
> So I'm running snort looking at the internal nic.
> It's IP address
> When vpn clients connect they get an IP address in the range of
> thru
> I set my $HOME_NET to be (closest I can get 
> to match above
> range).
> My $EXTERNAL_NET is set to 'any'.
> But the rules that work on first server don't work on this 
> server when the
> same data is sent across.  If I run snort just doing binary 
> logging and then
> view it packet headers that should trigger look like:
> 06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800
> len:0xA8
> -> TCP TTL:127 TOS:0x0 
> ID:21386 IpLen:20
> DgmLen:154 DF
> ***AP*** Seq: 0x111CFA70  Ack: 0x376DF253  Win: 0x4094  TcpLen: 20
> OR
> 06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800
> len:0x1CE
> -> TCP TTL:128 TOS:0x0 
> ID:5152 IpLen:20
> DgmLen:448 DF
> ***AP*** Seq: 0x376DEE77  Ack: 0x111CF814  Win: 0x2530  TcpLen: 20
> The rule I expected to be triggered looks like this:
> alert tcp any any <> any any (msg:"Directory listing via 
> tcp"; content:
> "Directory of "; nocase; flags: AP; 
> classtype:attempted-admin; priority:10;)
> Can anyone point me in the right direction please.  Do I have to do
> something special to get this happening with vpn servers - 
> especially since
> local nic's IP doesn't match or appear to be used when 
> looking at captured
> packets?  I've tried all sorts of combinations and simplified 
> the rule down
> to 'any any' types.
> Thanks for any help.
> Regards,
>   Bryce Stenberg.
>      Harness Racing New Zealand computer department,
>      emailto:bryce at ...5010...
> CAUTION: This email message and accompanying data may contain 
> information
> that is confidential and subject to legal privilege. If you 
> are not the
> intended recipient you are notified that any use, dissemination,
> distribution or copying of this message or data is 
> prohibited. If you have
> received this email message in error please notify us 
> immediately and erase
> all copies of the message and attachments.
>  ALSO, unless expressly stated otherwise, the contents of this message
> represent only the views of the sender as expressed only to 
> the intended
> recipient, do not commit Harness Racing New Zealand (HRNZ) to 
> any course of
> action and are not intended to impose any legal obligation upon HRNZ.
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at
> _______________________________________________
> Snort-users mailing list
> Snort-users at
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:

More information about the Snort-users mailing list