[Snort-users] PPTP and Cisco IPSEC
protocoljunkie at ...11827...
Tue Sep 13 16:38:20 EDT 2005
Also the snort_decoder fires alerts on strange UDP traffic (later
confirmed as IPSec) that I was able track down using SGUIL. This
helped identify policy violations, such as terminating IPSec tunnels
within your internal network from remote users (Firewall
On 9/13/05, Paul Melson <pmelson at ...11827...> wrote:
> The Sourcefire rules policy.rules file includes signatures for PPTP.
> As for IPSec tunnels, you could easily trigger on the Phase 1 negotiation
> packets like this:
> alert udp $EXTERNAL_NET 500 -> $HOME_NET 500 (msg:"Site-to-Site IPSec VPN
> Phase 1 Traffic"; classtype: attepted-admin; sid:1234001; rev:1;)
> alert udp $EXTERNAL_NET !500 -> $HOME_NET 500 (msg:"Client VPN Phase 1
> Traffic"; classtype: attempted-admin; sid:1234002; rev:1;)
> This would trigger on all phase 1 packets though. To do it right you'd want
> to build some content: fields for each signature based on some packet
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron Jenkins
> Sent: Tuesday, September 13, 2005 3:32 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] PPTP and Cisco IPSEC
> Are there any rules written to detect when a VPN PPTP and IPSEC connected
> being made to a Cisco Pix?
> Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
> Senior Architect
> Data Integrity, LLC
> "We Integrate People with Solutions"
> 1724 Dallas Drive
> Suite 11
> Baton Rouge, La 70806
> Office. 225.927.8030
> Fax. 225.927.8033
> Email. rjenkins at ...12829...
> Web. http://www.dibr.net
> (Aanval Reseller and Technology Partner)
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
May the packets be with you.
More information about the Snort-users