[Snort-users] VPN and UDP alerts

SRH-Lists giermo at ...8381...
Tue Apr 29 07:42:05 EDT 2003


 
> I am still getting alerts from that vpn server on the 
> internet.  When I
> emailed yesterday, the user had left, right when I applied 
> the rule.  This
> morning its back.
> This is what I have done
> 
> in snort.conf where DNS and mail variables are defined i added:
> # External VPN Server
> var VPN_NET 139.56.2.13
> 
> In local.rules i did the following:
> 
> pass udp $VPN_NET 500 <> 192.168.1.61 any

Unless that 192.168.1.61 address you have in this rule is just a
placeholder to obfuscate the real address, you will never see traffic
like this.  Unless the sensor is inside your firewall and the firewall
is natting for the vpn client.

Either way, try this:

pass udp $VPN_NET 500 <> any any

-steve




More information about the Snort-users mailing list