[Snort-users] Snort and OpenVPN

Kevin Ross kevross33 at ...14012...
Tue Feb 4 07:44:56 EST 2014


Without knowing your setup I imagine you are trying to have snort inspect
encrypted VPN traffic which it cannot do. I would suggest playing Snort to
detect traffic on interfaces that the traffic must pass through when on
your internal network and it is unencrypted (i.e in a typical enterprise
deployment this would be somewhere behind the VPN concentrator before it is
encrypted or after it is decrypted).

Regards,
Kevin


On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin at ...15907...>wrote:

> Hi, Please, advice - what i did wrong with configuration of my snort
> install - i can't see any openvpn traffic with my current snort config,
> thru i can see regular traffic, pptp, ipsec.
>
> Snort installed on one server together with openvpn, openvpn has 3
> interfaces: tun0, tun1, tun2.
>
> If i run snort manually and use tun* as parameter for interface - it
> works, and i can see traffic in console.
>
> i.e.:  snort -dev -i tun0
>
> Maby some problems with configuration of interfaces?
>
> My current config:
>
> # Setup the network addresses you are protecting
> ipvar HOME_NET any
>
> # Set up the external network addresses. Leave as "any" in most situations
> ipvar EXTERNAL_NET any
>
> Whole snort.conf:
>
> http://paste.debian.net/plain/80076
>
>
>
>
> Best Regards,
> Dmitry
>
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
>
> e: dmitry.korzhevin at ...15907...
> m: +38 093 874 5453
> w: http://www.stidia.com
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140204/4132e45f/attachment.html>


More information about the Snort-users mailing list