[Snort-users] PPTP and Cisco IPSEC
pmelson at ...11827...
Tue Sep 13 13:19:08 EDT 2005
The Sourcefire rules policy.rules file includes signatures for PPTP.
As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation
packets like this:
alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN
Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;)
alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1
Traffic"; classtype: attempted-admin; sid:1234002; rev:1;)
This would trigger on all phase 1 packets though. To do it right you'd want
to build some content: fields for each signature based on some packet
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron Jenkins
Sent: Tuesday, September 13, 2005 3:32 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] PPTP and Cisco IPSEC
Are there any rules written to detect when a VPN PPTP and IPSEC connected
being made to a Cisco Pix?
Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
Data Integrity, LLC
"We Integrate People with Solutions"
1724 Dallas Drive
Baton Rouge, La 70806
Email. rjenkins at ...12829...
(Aanval Reseller and Technology Partner)
More information about the Snort-users