[Snort-users] VPN and UDP alerts

Allan Dover allan at ...8825...
Tue Apr 29 07:06:02 EDT 2003


Hey Neil,

I am still getting alerts from that vpn server on the internet.  When I
emailed yesterday, the user had left, right when I applied the rule.  This
morning its back.
This is what I have done

in snort.conf where DNS and mail variables are defined i added:
# External VPN Server
var VPN_NET 139.56.2.13

In local.rules i did the following:

pass udp $VPN_NET 500 <> 192.168.1.61 any

I also modified my startup script with -o option.

Any Ideas ?

Allan Dover
Systems Administrator
<mailto:allan at ...8977...>
<http://www.iiwishiv.com>

###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.


----- Original Message -----
From: "Neil Dickey" <neil at ...1633...>
To: <allan at ...8977...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, April 25, 2003 5:11 PM
Subject: Re: [Snort-users] VPN and UDP alerts


>
> "Allan Dover" <allan at ...8977...> wrote:
>
> >Thanks for the advice, I will try it.  This may seem like a stupid
question,
> >should I be concerned that I am putting an internet address in my local
file
> >
> >Example:
> >
> >var VPN-NET1 64.42.55.212  ( Made it up )
>
> According to my reading of the manual that shouldn't cause a problem,
though
> my habit is to define all my variables in a central place -- snort.conf.
Just
> be sure the "var" statement is read before your "pass" rule.  If $VPN-NET1
only
> contains one IP, I wouldn't use a variable.  I'd just put the IP in its
place
> in the rule and reduce the overhead.
>
> Now, ...
>
> >pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
>                                      ^^^^^^^^^^^^
> ... I'm not sure what you're doing here.  Is 192.168.1.61 part of your
HOME_NET,
> or is it external to it?  If you're entering more than one address on the
right-
> hand-side, then it's necessary to use square brackets, comma delimiters,
and no
> spaces, as:
>
>   [$HOME_NET,192.168.1.61]
>
> Also, there needs to be a port designation after the addresses on the RHS,
so
> the whole rule would look like this:
>
>   pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any
>
> The port designation can be a single port number ( e.g. 500 ), as it is on
the
> LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"
to
> signify that all ports match.
>
> >This will only not log on internal address going to specific destination,
so
> >if someboby were to create a scan tool or some other nasty device, I
would
> >get flagged again on different IP's.
>
> The pass rule we have written here will not affect detection of TCP
traffic
> between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 .
UDP
> traffic which did not originate from any of these IPS would still be
alerted,
> as would any UDP traffic originating from $VPN-NET1 on some port other
than
> 500 .
>
> The rule, as now written, will pass without alerting all UDP traffic
> originating on $VPN-NET1, port 500, and bound for any port on any machine
in
> $HOME_NET or 192.168.1.61 .  It will also pass all UDP traffic originating
on
> $HOME_NET and 192.168.1.61, from any port, and bound for port 500 on
$VPN-NET1.
> Everything else still gets alerted.
>
> >This makes sense to me, look logical ?
>
> If what I've just described is what you want to do, it should work fine.
>
> Let me know how it turns out.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list