[Snort-users] VPN and UDP alerts
giermo at ...8381...
Tue Apr 29 07:42:05 EDT 2003
> I am still getting alerts from that vpn server on the
> internet. When I
> emailed yesterday, the user had left, right when I applied
> the rule. This
> morning its back.
> This is what I have done
> in snort.conf where DNS and mail variables are defined i added:
> # External VPN Server
> var VPN_NET 184.108.40.206
> In local.rules i did the following:
> pass udp $VPN_NET 500 <> 192.168.1.61 any
Unless that 192.168.1.61 address you have in this rule is just a
placeholder to obfuscate the real address, you will never see traffic
like this. Unless the sensor is inside your firewall and the firewall
is natting for the vpn client.
Either way, try this:
pass udp $VPN_NET 500 <> any any
More information about the Snort-users