[Snort-users] VPN Users

Jason Haar Jason.Haar at ...294...
Sat May 15 21:02:00 EDT 2010

On 05/15/2010 02:31 AM, Stephen Mullins wrote:
> Typically this is what you use a SIM tool for.  That way you can check
> what user was assigned what translated VPN IP address at the time that
> traffic involving that IP triggered the IDS alert by looking for
> Windows/VPN logs around the time of the alert.

You are so right. VPN users are an absolute pain - especially since a
lot of VPN software (eg openvpn and cisco concentrators) contiunally
re-use IP addresses. ie hostA logs in and is assigned IP-1, logs out and
two seconds later hostB logs in and is assigned IP-1. If you have the
option, save yourself some grief and use DHCP!!!

Anyway, typically the VPN server won't be logging the client hostname,
so you have to rely on either triggering your own scripts to detect the
client hostname, or use logs from other sources (eg if the host is in
your Active Directory, then your domain controllers will log that host
registering itself with the domain. Won't work for non-Windows or
non-domain hosts of course)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list