[Snort-users] PPTP and Cisco IPSEC

Murali Raju protocoljunkie at ...11827...
Tue Sep 13 16:38:20 EDT 2005


Also the snort_decoder fires alerts on strange UDP traffic (later
confirmed as IPSec) that I was able track down using SGUIL. This
helped identify policy violations, such as terminating IPSec tunnels
within your internal network from remote users (Firewall
misconfiguration).

Cheers.

_Raju

On 9/13/05, Paul Melson <pmelson at ...11827...> wrote:
> The Sourcefire rules policy.rules file includes signatures for PPTP.
> 
> As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation
> packets like this:
> 
> alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN
> Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;)
> 
> alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1
> Traffic"; classtype: attempted-admin; sid:1234002; rev:1;)
> 
> This would trigger on all phase 1 packets though.  To do it right you'd want
> to build some content: fields for each signature based on some packet
> captures.
> 
> PaulM
> 
> 
> ________________________________
> 
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron Jenkins
> Sent: Tuesday, September 13, 2005 3:32 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] PPTP and Cisco IPSEC
> 
> 
> 
> Are there any rules written to detect when a VPN PPTP and IPSEC connected
> being made to a Cisco Pix?
> 
> 
> 
> Thanks.
> 
> 
> 
> Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
> Senior Architect
> Data Integrity, LLC
> "We Integrate People with Solutions"
> 1724 Dallas Drive
> Suite 11
> Baton Rouge, La 70806
> Office. 225.927.8030
> Fax. 225.927.8033
> Cell225.931.1632
> 
> Email. rjenkins at ...12829...
> Web. http://www.dibr.net
> 
> (Aanval Reseller and Technology Partner)
> 
> http://www.aanval.com/tour/dibr
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


-- 
May the packets be with you.




More information about the Snort-users mailing list