[Snort-users] VPN and UDP alerts

Allan Dover allan at ...8977...
Mon Apr 28 07:48:29 EDT 2003


Thanks for the advice, I will try it.  This may seem like a stupid question,
should I be concerned that I am putting an internet address in my local file

Example:

var VPN-NET1 64.42.55.212  ( Made it up )

pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61

This will only not log on internal address going to specific destination, so
if someboby were to create a scan tool or some other nasty device, I would
get flagged again on different IP's.

This makes sense to me, look logical ?


Allan Dover
Systems Administrator
<mailto:allan at ...8977...>
<http://www.iiwishiv.com>

###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.


----- Original Message -----
From: "Slighter, Tim" <tslighter at ...5174...>
To: "'Neil Dickey'" <neil at ...1633...>; <allan at ...8825...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, April 25, 2003 2:25 PM
Subject: RE: [Snort-users] VPN and UDP alerts


> if ya do this...don't forget to declare a value for $VPN-NET in snort.conf
>
> var VPN-NET x.x.x.x
>
> -----Original Message-----
> From: Neil Dickey [mailto:neil at ...1633...]
> Sent: Friday, April 25, 2003 11:51 AM
> To: allan at ...8825...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] VPN and UDP alerts
>
>
>
> "Allan Dover" <allan at ...8825...> wrote asking:
>
> >Is there a way to not alert or log UDP:500 as source ?  Would I make a
rule
> >to do this ?  I havent ventured into rule making as of yet.
>
> A "pass" rule in 'local.rules' would probably do the trick.  Something
> like ...
>
>   pass udp $VPN-NET 500 <> $HOME_NET any
>
> ... would probably do it.  Then restart Snort, and make sure you're
> using the '-o' rule on the command line.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list