[Snort-users] VPN and UDP alerts
neil at ...1633...
Fri Apr 25 14:12:11 EDT 2003
"Allan Dover" <allan at ...8977...> wrote:
>Thanks for the advice, I will try it. This may seem like a stupid question,
>should I be concerned that I am putting an internet address in my local file
>var VPN-NET1 126.96.36.199 ( Made it up )
According to my reading of the manual that shouldn't cause a problem, though
my habit is to define all my variables in a central place -- snort.conf. Just
be sure the "var" statement is read before your "pass" rule. If $VPN-NET1 only
contains one IP, I wouldn't use a variable. I'd just put the IP in its place
in the rule and reduce the overhead.
>pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
... I'm not sure what you're doing here. Is 192.168.1.61 part of your HOME_NET,
or is it external to it? If you're entering more than one address on the right-
hand-side, then it's necessary to use square brackets, comma delimiters, and no
Also, there needs to be a port designation after the addresses on the RHS, so
the whole rule would look like this:
pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any
The port designation can be a single port number ( e.g. 500 ), as it is on the
LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any" to
signify that all ports match.
>This will only not log on internal address going to specific destination, so
>if someboby were to create a scan tool or some other nasty device, I would
>get flagged again on different IP's.
The pass rule we have written here will not affect detection of TCP traffic
between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 . UDP
traffic which did not originate from any of these IPS would still be alerted,
as would any UDP traffic originating from $VPN-NET1 on some port other than
The rule, as now written, will pass without alerting all UDP traffic
originating on $VPN-NET1, port 500, and bound for any port on any machine in
$HOME_NET or 192.168.1.61 . It will also pass all UDP traffic originating on
$HOME_NET and 192.168.1.61, from any port, and bound for port 500 on $VPN-NET1.
Everything else still gets alerted.
>This makes sense to me, look logical ?
If what I've just described is what you want to do, it should work fine.
Let me know how it turns out.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users