[Snort-users] using snortcenter agents on multiple interface sensor?
BHorta1 at ...8080...
Wed May 14 12:37:03 EDT 2003
Is it possible to run the snortcenter agent on a linux with multiple
interfaces being watched by snort?
I have a 4 interface snort box (1mgmt iface) and I run snort watching
traffic on all 4 and sending it to a ACID/SQL box. will snortcenter allow me
to view the box and manage it as 4?
From: Allan Dover [mailto:allan at ...8825...]
Sent: Tuesday, April 29, 2003 10:05 AM
To: Neil Dickey
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] VPN and UDP alerts
I am still getting alerts from that vpn server on the internet. When I
emailed yesterday, the user had left, right when I applied the rule. This
morning its back.
This is what I have done
in snort.conf where DNS and mail variables are defined i added:
# External VPN Server
var VPN_NET 220.127.116.11
In local.rules i did the following:
pass udp $VPN_NET 500 <> 192.168.1.61 any
I also modified my startup script with -o option.
Any Ideas ?
<mailto:allan at ...8977...>
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.
----- Original Message -----
From: "Neil Dickey" <neil at ...1633...>
To: <allan at ...8977...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, April 25, 2003 5:11 PM
Subject: Re: [Snort-users] VPN and UDP alerts
> "Allan Dover" <allan at ...8977...> wrote:
> >Thanks for the advice, I will try it. This may seem like a stupid
> >should I be concerned that I am putting an internet address in my local
> >var VPN-NET1 18.104.22.168 ( Made it up )
> According to my reading of the manual that shouldn't cause a problem,
> my habit is to define all my variables in a central place -- snort.conf.
> be sure the "var" statement is read before your "pass" rule. If $VPN-NET1
> contains one IP, I wouldn't use a variable. I'd just put the IP in its
> in the rule and reduce the overhead.
> Now, ...
> >pass udp $VPN-NET1 500 <> $HOME_NET 192.168.1.61
> ... I'm not sure what you're doing here. Is 192.168.1.61 part of your
> or is it external to it? If you're entering more than one address on the
> hand-side, then it's necessary to use square brackets, comma delimiters,
> spaces, as:
> Also, there needs to be a port designation after the addresses on the RHS,
> the whole rule would look like this:
> pass udp $VPN-NET1 500 <> [$HOME_NET,192.168.1.61] any
> The port designation can be a single port number ( e.g. 500 ), as it is on
> LHS, a range of ports ( e.g. 500:1000 , 500: , :1000 ), or the word "any"
> signify that all ports match.
> >This will only not log on internal address going to specific destination,
> >if someboby were to create a scan tool or some other nasty device, I
> >get flagged again on different IP's.
> The pass rule we have written here will not affect detection of TCP
> between any of the addresses in $VPN-NET1, $HOME_NET, and 192.168.1.61 .
> traffic which did not originate from any of these IPS would still be
> as would any UDP traffic originating from $VPN-NET1 on some port other
> 500 .
> The rule, as now written, will pass without alerting all UDP traffic
> originating on $VPN-NET1, port 500, and bound for any port on any machine
> $HOME_NET or 192.168.1.61 . It will also pass all UDP traffic originating
> $HOME_NET and 192.168.1.61, from any port, and bound for port 500 on
> Everything else still gets alerted.
> >This makes sense to me, look logical ?
> If what I've just described is what you want to do, it should work fine.
> Let me know how it turns out.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users