[Snort-users] VPN and UDP alerts

Allan Dover allan at ...8825...
Tue Apr 29 07:06:02 EDT 2003

Hey Neil,

I am still getting alerts from that vpn server on the internet.  When I
emailed yesterday, the user had left, right when I applied the rule.  This
morning its back.
This is what I have done

in snort.conf where DNS and mail variables are defined i added:
# External VPN Server

In local.rules i did the following:

pass udp $VPN_NET 500 <> any

I also modified my startup script with -o option.

Any Ideas ?

Allan Dover
Systems Administrator
<mailto:allan at ...8977...>

This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.

----- Original Message -----
From: "Neil Dickey" <neil at ...1633...>
To: <allan at ...8977...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, April 25, 2003 5:11 PM
Subject: Re: [Snort-users] VPN and UDP alerts

> "Allan Dover" <allan at ...8977...> wrote:
> >Thanks for the advice, I will try it.  This may seem like a stupid
> >should I be concerned that I am putting an internet address in my local
> >
> >Example:
> >
> >var VPN-NET1  ( Made it up )
> According to my reading of the manual that shouldn't cause a problem,
> my habit is to define all my variables in a central place -- snort.conf.
> be sure the "var" statement is read before your "pass" rule.  If $VPN-NET1
> contains one IP, I wouldn't use a variable.  I'd just put the IP in its
> in the rule and reduce the overhead.
> Now, ...
> >pass udp $VPN-NET1 500 <> $HOME_NET
>                                      ^^^^^^^^^^^^
> ... I'm not sure what you're doing here.  Is part of your
> or is it external to it?  If you're entering more than one address on the
> hand-side, then it's necessary to use square brackets, comma delimiters,
and no
> spaces, as:
>   [$HOME_NET,]
> Also, there needs to be a port designation after the addresses on the RHS,
> the whole rule would look like this:
>   pass udp $VPN-NET1 500 <> [$HOME_NET,] any
> The port designation can be a single port number ( e.g. 500 ), as it is on
> LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"
> signify that all ports match.
> >This will only not log on internal address going to specific destination,
> >if someboby were to create a scan tool or some other nasty device, I
> >get flagged again on different IP's.
> The pass rule we have written here will not affect detection of TCP
> between any of the addresses in $VPN-NET1, $HOME_NET, and .
> traffic which did not originate from any of these IPS would still be
> as would any UDP traffic originating from $VPN-NET1 on some port other
> 500 .
> The rule, as now written, will pass without alerting all UDP traffic
> originating on $VPN-NET1, port 500, and bound for any port on any machine
> $HOME_NET or .  It will also pass all UDP traffic originating
> $HOME_NET and, from any port, and bound for port 500 on
> Everything else still gets alerted.
> >This makes sense to me, look logical ?
> If what I've just described is what you want to do, it should work fine.
> Let me know how it turns out.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list