[Snort-users] VPN and UDP alerts

Neil Dickey neil at ...1633...
Fri Apr 25 14:12:11 EDT 2003


"Allan Dover" <allan at ...8977...> wrote:

>Thanks for the advice, I will try it.  This may seem like a stupid question,
>should I be concerned that I am putting an internet address in my local file
>
>Example:
>
>var VPN-NET1 64.42.55.212  ( Made it up )

According to my reading of the manual that shouldn't cause a problem, though
my habit is to define all my variables in a central place -- snort.conf.  Just
be sure the "var" statement is read before your "pass" rule.  If $VPN-NET1 only
contains one IP, I wouldn't use a variable.  I'd just put the IP in its place
in the rule and reduce the overhead.

Now, ...

>pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
                                     ^^^^^^^^^^^^
... I'm not sure what you're doing here.  Is 192.168.1.61 part of your HOME_NET,
or is it external to it?  If you're entering more than one address on the right-
hand-side, then it's necessary to use square brackets, comma delimiters, and no
spaces, as:

  [$HOME_NET,192.168.1.61]

Also, there needs to be a port designation after the addresses on the RHS, so
the whole rule would look like this:

  pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any

The port designation can be a single port number ( e.g. 500 ), as it is on the
LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any" to
signify that all ports match.

>This will only not log on internal address going to specific destination, so
>if someboby were to create a scan tool or some other nasty device, I would
>get flagged again on different IP's.

The pass rule we have written here will not affect detection of TCP traffic
between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 . UDP
traffic which did not originate from any of these IPS would still be alerted,
as would any UDP traffic originating from $VPN-NET1 on some port other than
500 .

The rule, as now written, will pass without alerting all UDP traffic
originating on $VPN-NET1, port 500, and bound for any port on any machine in
$HOME_NET or 192.168.1.61 .  It will also pass all UDP traffic originating on
$HOME_NET and 192.168.1.61, from any port, and bound for port 500 on $VPN-NET1.
Everything else still gets alerted.

>This makes sense to me, look logical ?

If what I've just described is what you want to do, it should work fine.

Let me know how it turns out.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list