[Snort-users] Listening openVPN

Nigel Houghton nhoughton at ...1935...
Sun Dec 6 12:42:20 EST 2009


On Sun, Dec 6, 2009 at 12:23 PM, Matt Olney <molney at ...1935...> wrote:
> When testing new listening setups, I use tcpdump to check what traffic
> I'm seeing.  It uses the same underlying library that snort uses, and
> provides an immediate view of the traffic.
>
> Sent from my iPhone
>
> On Dec 6, 2009, at 11:41 AM, Andre Rodier <andre.rodier at ...14721...>
> wrote:
>
>> Hello everybody,
>>
>>
>> After googling around, I can'f find any answer to my question.
>>
>>
>> Is it possible to configure snort to listen on the virtual network
>> adapter of OpenVPN (tap0) ?
>>
>>
>> I have tried to configure snort to do this, but apparently this fail:
>>
>>
>> var HOME_NET [10.10.1.0/24,192.168.0.0/24]
>>
>>
>> 10.10.1/24 is the vpn network address, while 192.168.0.x is the
>> physical
>> network.
>>
>>
>> I use nmap to start a portscan, and the result is accurate on both
>> interfaces. However, the only logs from Snort I have are coming from
>> the
>> physical network interface 192.168.0.0/24,
>>
>>
>> Do I have to do something special to authorise snort to listen this
>> virtual interface ?
>>
>> Thanks.
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


If you use "snort -dev -i tap0" do you see the traffic you expect?

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list