AW: [Snort-users] Rules problem on dual nic vpn server...

Poppi, Sandro Sandro.Poppi at ...3316...
Sun Jun 23 23:18:02 EDT 2002


Hi Bryce,

try using HOME_NET 192.168.0.224/27 since 192.168.0.235 is no subnet but a
node address which could confuse the tcp/ip stack.

But remember: Then HOME_NET is holding 192.168.0.225 - .254 which might be
not what you want. To get around that you will have to put in all the
addresses one by one like in

var HOME_NET [192.168.0.235/32,192.168.0.236/32]

which can result in performance loss so you should take a look on the snort
statistics about dropped packets (don't know how to get them on Windoze,
sorry)

HTH,
Sandro
> 
> Hi All,
> 
> I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers.
> It runs perfectly fine on a single nic server just running 
> one rules file
> (local.rules).
> I've placed the same setup on our VPN server (Microsoft 
> vpn/pptp setup).
> There are two nic's - the external one is no good for 
> scanning as everything
> across it is already encrypted. 
> So I'm running snort looking at the internal nic.
> It's IP address 192.168.0.6
> When vpn clients connect they get an IP address in the range of
> 192.168.0.235 thru 192.168.0.253
> 
> I set my $HOME_NET to be 192.168.0.235/27 (closest I can get 
> to match above
> range).
> My $EXTERNAL_NET is set to 'any'.
> 
> But the rules that work on first server don't work on this 
> server when the
> same data is sent across.  If I run snort just doing binary 
> logging and then
> view it packet headers that should trigger look like:
> 
> 06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800
> len:0xA8
> 192.168.0.239:4364 -> 192.168.0.1:139 TCP TTL:127 TOS:0x0 
> ID:21386 IpLen:20
> DgmLen:154 DF
> ***AP*** Seq: 0x111CFA70  Ack: 0x376DF253  Win: 0x4094  TcpLen: 20
> 
> OR
> 
> 06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800
> len:0x1CE
> 192.168.0.1:139 -> 192.168.0.239:4364 TCP TTL:128 TOS:0x0 
> ID:5152 IpLen:20
> DgmLen:448 DF
> ***AP*** Seq: 0x376DEE77  Ack: 0x111CF814  Win: 0x2530  TcpLen: 20
> 
> The rule I expected to be triggered looks like this:
> alert tcp any any <> any any (msg:"Directory listing via 
> tcp"; content:
> "Directory of "; nocase; flags: AP; 
> classtype:attempted-admin; priority:10;)
> 
> Can anyone point me in the right direction please.  Do I have to do
> something special to get this happening with vpn servers - 
> especially since
> local nic's IP doesn't match or appear to be used when 
> looking at captured
> packets?  I've tried all sorts of combinations and simplified 
> the rule down
> to 'any any' types.
> 
> Thanks for any help.
> 
> Regards,
>   Bryce Stenberg.
>      Harness Racing New Zealand computer department,
>      emailto:bryce at ...5010...
> 
> 
> CAUTION: This email message and accompanying data may contain 
> information
> that is confidential and subject to legal privilege. If you 
> are not the
> intended recipient you are notified that any use, dissemination,
> distribution or copying of this message or data is 
> prohibited. If you have
> received this email message in error please notify us 
> immediately and erase
> all copies of the message and attachments.
>  ALSO, unless expressly stated otherwise, the contents of this message
> represent only the views of the sender as expressed only to 
> the intended
> recipient, do not commit Harness Racing New Zealand (HRNZ) to 
> any course of
> action and are not intended to impose any legal obligation upon HRNZ.
> 
> 
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list