[Snort-users] PPTP and Cisco IPSEC

Paul Melson pmelson at ...11827...
Tue Sep 13 13:19:08 EDT 2005

The Sourcefire rules policy.rules file includes signatures for PPTP.

As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation
packets like this:

alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN
Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;)

alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1
Traffic"; classtype: attempted-admin; sid:1234002; rev:1;)

This would trigger on all phase 1 packets though.  To do it right you'd want
to build some content: fields for each signature based on some packet



From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron Jenkins
Sent: Tuesday, September 13, 2005 3:32 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] PPTP and Cisco IPSEC

Are there any rules written to detect when a VPN PPTP and IPSEC connected
being made to a Cisco Pix?




Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
Senior Architect
Data Integrity, LLC
"We Integrate People with Solutions"
1724 Dallas Drive
Suite 11
Baton Rouge, La 70806
Office. 225.927.8030
Fax. 225.927.8033

Email. rjenkins at ...12829...
Web. http://www.dibr.net

(Aanval Reseller and Technology Partner)



More information about the Snort-users mailing list