[Snort-users] VPN and UDP alerts
allan at ...8825...
Tue Apr 29 07:06:02 EDT 2003
I am still getting alerts from that vpn server on the internet. When I
emailed yesterday, the user had left, right when I applied the rule. This
morning its back.
This is what I have done
in snort.conf where DNS and mail variables are defined i added:
# External VPN Server
var VPN_NET 188.8.131.52
In local.rules i did the following:
pass udp $VPN_NET 500 <> 192.168.1.61 any
I also modified my startup script with -o option.
Any Ideas ?
<mailto:allan at ...8977...>
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.
----- Original Message -----
From: "Neil Dickey" <neil at ...1633...>
To: <allan at ...8977...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, April 25, 2003 5:11 PM
Subject: Re: [Snort-users] VPN and UDP alerts
> "Allan Dover" <allan at ...8977...> wrote:
> >Thanks for the advice, I will try it. This may seem like a stupid
> >should I be concerned that I am putting an internet address in my local
> >var VPN-NET1 184.108.40.206 ( Made it up )
> According to my reading of the manual that shouldn't cause a problem,
> my habit is to define all my variables in a central place -- snort.conf.
> be sure the "var" statement is read before your "pass" rule. If $VPN-NET1
> contains one IP, I wouldn't use a variable. I'd just put the IP in its
> in the rule and reduce the overhead.
> Now, ...
> >pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
> ... I'm not sure what you're doing here. Is 192.168.1.61 part of your
> or is it external to it? If you're entering more than one address on the
> hand-side, then it's necessary to use square brackets, comma delimiters,
> spaces, as:
> Also, there needs to be a port designation after the addresses on the RHS,
> the whole rule would look like this:
> pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any
> The port designation can be a single port number ( e.g. 500 ), as it is on
> LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"
> signify that all ports match.
> >This will only not log on internal address going to specific destination,
> >if someboby were to create a scan tool or some other nasty device, I
> >get flagged again on different IP's.
> The pass rule we have written here will not affect detection of TCP
> between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 .
> traffic which did not originate from any of these IPS would still be
> as would any UDP traffic originating from $VPN-NET1 on some port other
> 500 .
> The rule, as now written, will pass without alerting all UDP traffic
> originating on $VPN-NET1, port 500, and bound for any port on any machine
> $HOME_NET or 192.168.1.61 . It will also pass all UDP traffic originating
> $HOME_NET and 192.168.1.61, from any port, and bound for port 500 on
> Everything else still gets alerted.
> >This makes sense to me, look logical ?
> If what I've just described is what you want to do, it should work fine.
> Let me know how it turns out.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users