AW: [Snort-users] Rules problem on dual nic vpn server...
Sandro.Poppi at ...3316...
Sun Jun 23 23:18:02 EDT 2002
try using HOME_NET 192.168.0.224/27 since 192.168.0.235 is no subnet but a
node address which could confuse the tcp/ip stack.
But remember: Then HOME_NET is holding 192.168.0.225 - .254 which might be
not what you want. To get around that you will have to put in all the
addresses one by one like in
var HOME_NET [192.168.0.235/32,192.168.0.236/32]
which can result in performance loss so you should take a look on the snort
statistics about dropped packets (don't know how to get them on Windoze,
> Hi All,
> I have Snort 1.8.3-win32 (build 92) running on Windows NT4 servers.
> It runs perfectly fine on a single nic server just running
> one rules file
> I've placed the same setup on our VPN server (Microsoft
> vpn/pptp setup).
> There are two nic's - the external one is no good for
> scanning as everything
> across it is already encrypted.
> So I'm running snort looking at the internal nic.
> It's IP address 192.168.0.6
> When vpn clients connect they get an IP address in the range of
> 192.168.0.235 thru 192.168.0.253
> I set my $HOME_NET to be 192.168.0.235/27 (closest I can get
> to match above
> My $EXTERNAL_NET is set to 'any'.
> But the rules that work on first server don't work on this
> server when the
> same data is sent across. If I run snort just doing binary
> logging and then
> view it packet headers that should trigger look like:
> 06/24-16:16:13.159069 0:E0:29:58:71:98 -> 0:20:18:58:78:B4 type:0x800
> 192.168.0.239:4364 -> 192.168.0.1:139 TCP TTL:127 TOS:0x0
> ID:21386 IpLen:20
> DgmLen:154 DF
> ***AP*** Seq: 0x111CFA70 Ack: 0x376DF253 Win: 0x4094 TcpLen: 20
> 06/24-16:16:10.548784 0:20:18:58:78:B4 -> 0:E0:29:58:71:98 type:0x800
> 192.168.0.1:139 -> 192.168.0.239:4364 TCP TTL:128 TOS:0x0
> ID:5152 IpLen:20
> DgmLen:448 DF
> ***AP*** Seq: 0x376DEE77 Ack: 0x111CF814 Win: 0x2530 TcpLen: 20
> The rule I expected to be triggered looks like this:
> alert tcp any any <> any any (msg:"Directory listing via
> tcp"; content:
> "Directory of "; nocase; flags: AP;
> classtype:attempted-admin; priority:10;)
> Can anyone point me in the right direction please. Do I have to do
> something special to get this happening with vpn servers -
> especially since
> local nic's IP doesn't match or appear to be used when
> looking at captured
> packets? I've tried all sorts of combinations and simplified
> the rule down
> to 'any any' types.
> Thanks for any help.
> Bryce Stenberg.
> Harness Racing New Zealand computer department,
> emailto:bryce at ...5010...
> CAUTION: This email message and accompanying data may contain
> that is confidential and subject to legal privilege. If you
> are not the
> intended recipient you are notified that any use, dissemination,
> distribution or copying of this message or data is
> prohibited. If you have
> received this email message in error please notify us
> immediately and erase
> all copies of the message and attachments.
> ALSO, unless expressly stated otherwise, the contents of this message
> represent only the views of the sender as expressed only to
> the intended
> recipient, do not commit Harness Racing New Zealand (HRNZ) to
> any course of
> action and are not intended to impose any legal obligation upon HRNZ.
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users