[Snort-users] Listening openVPN

Andre Rodier andre.rodier at ...14721...
Sun Dec 6 13:39:19 EST 2009


Andre Rodier wrote:

> Nigel Houghton wrote:
>
>> On Sun, Dec 6, 2009 at 12:23 PM, Matt Olney <molney at ...1935...> wrote:
>>   
>>> When testing new listening setups, I use tcpdump to check what traffic
>>> I'm seeing.  It uses the same underlying library that snort uses, and
>>> provides an immediate view of the traffic.
>>>
>>> Sent from my iPhone
>>>
>>> On Dec 6, 2009, at 11:41 AM, Andre Rodier <andre.rodier at ...14721...>
>>> wrote:
>>>
>>>     
>>>> Hello everybody,
>>>>
>>>>
>>>> After googling around, I can'f find any answer to my question.
>>>>
>>>>
>>>> Is it possible to configure snort to listen on the virtual network
>>>> adapter of OpenVPN (tap0) ?
>>>>
>>>>
>>>> I have tried to configure snort to do this, but apparently this fail:
>>>>
>>>>
>>>> var HOME_NET [10.10.1.0/24,192.168.0.0/24]
>>>>
>>>>
>>>> 10.10.1/24 is the vpn network address, while 192.168.0.x is the
>>>> physical
>>>> network.
>>>>
>>>>
>>>> I use nmap to start a portscan, and the result is accurate on both
>>>> interfaces. However, the only logs from Snort I have are coming from
>>>> the
>>>> physical network interface 192.168.0.0/24,
>>>>
>>>>
>>>> Do I have to do something special to authorise snort to listen this
>>>> virtual interface ?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> ---
>>>> ---
>>>> ---
>>>> ---------------------------------------------------------------------
>>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>>> a free event focused on virtualization and cloud computing.
>>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>       
>>> ------------------------------------------------------------------------------
>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>     
>>
>>
>> If you use "snort -dev -i tap0" do you see the traffic you expect
> Hello Matt,
>
> Yes, doing this show me the traffic, do I have to conclude that's a 
> configuration error ?
>
> ATB
> André.
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing. 
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Hello everybody,

I fixed the problem by reconfiguring the snort package. Debian override 
the settings in the /etc/snort/snort.conf with custom parameters, and I 
was unaware of that.

Thanks anyway !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091206/12635056/attachment.html>


More information about the Snort-users mailing list