[Snort-users] Listening openVPN

Andre Rodier andre.rodier at ...14721...
Sun Dec 6 13:24:30 EST 2009


Nigel Houghton wrote:

> On Sun, Dec 6, 2009 at 12:23 PM, Matt Olney <molney at ...1935...> wrote:
>   
>> When testing new listening setups, I use tcpdump to check what traffic
>> I'm seeing.  It uses the same underlying library that snort uses, and
>> provides an immediate view of the traffic.
>>
>> Sent from my iPhone
>>
>> On Dec 6, 2009, at 11:41 AM, Andre Rodier <andre.rodier at ...14721...>
>> wrote:
>>
>>     
>>> Hello everybody,
>>>
>>>
>>> After googling around, I can'f find any answer to my question.
>>>
>>>
>>> Is it possible to configure snort to listen on the virtual network
>>> adapter of OpenVPN (tap0) ?
>>>
>>>
>>> I have tried to configure snort to do this, but apparently this fail:
>>>
>>>
>>> var HOME_NET [10.10.1.0/24,192.168.0.0/24]
>>>
>>>
>>> 10.10.1/24 is the vpn network address, while 192.168.0.x is the
>>> physical
>>> network.
>>>
>>>
>>> I use nmap to start a portscan, and the result is accurate on both
>>> interfaces. However, the only logs from Snort I have are coming from
>>> the
>>> physical network interface 192.168.0.0/24,
>>>
>>>
>>> Do I have to do something special to authorise snort to listen this
>>> virtual interface ?
>>>
>>> Thanks.
>>>
>>>
>>> ---
>>> ---
>>> ---
>>> ---------------------------------------------------------------------
>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>       
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>     
>
>
> If you use "snort -dev -i tap0" do you see the traffic you expect
Hello Matt,

Yes, doing this show me the traffic, do I have to conclude that's a 
configuration error ?

ATB
André.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091206/48153592/attachment.html>


More information about the Snort-users mailing list