[Snort-users] Snort and OpenVPN
dmitry.korzhevin at ...15907...
Tue Feb 4 08:04:21 EST 2014
This is same server. So, snort and openvpn(server part) is installed at
once. When i run snort like:
'snort -dev -i tun0' i see unencrypted traffic, because this server is
endpoint of openvpn and users internal ip's fomr openvpn subnet. But,
with current config i can't see any info from openvpn intefaces (tun*)
in my database/web frontend - snorby.
Seems something wrong with my config (snort.conf)..
04.02.2014 14:44, Kevin Ross пишет:
> Without knowing your setup I imagine you are trying to have snort
> inspect encrypted VPN traffic which it cannot do. I would suggest
> playing Snort to detect traffic on interfaces that the traffic must pass
> through when on your internal network and it is unencrypted (i.e in a
> typical enterprise deployment this would be somewhere behind the VPN
> concentrator before it is encrypted or after it is decrypted).
> On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin at ...15907...
> <mailto:dmitry.korzhevin at ...15907...>> wrote:
> Hi, Please, advice - what i did wrong with configuration of my snort
> install - i can't see any openvpn traffic with my current snort
> config, thru i can see regular traffic, pptp, ipsec.
> Snort installed on one server together with openvpn, openvpn has 3
> interfaces: tun0, tun1, tun2.
> If i run snort manually and use tun* as parameter for interface - it
> works, and i can see traffic in console.
> i.e.: snort -dev -i tun0
> Maby some problems with configuration of interfaces?
> My current config:
> # Setup the network addresses you are protecting
> ipvar HOME_NET any
> # Set up the external network addresses. Leave as "any" in most
> ipvar EXTERNAL_NET any
> Whole snort.conf:
> Best Regards,
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
> e: dmitry.korzhevin at ...15907... <mailto:dmitry.korzhevin at ...15907...>
> m: +38 093 874 5453 <tel:%2B38%20093%20874%205453>
> w: http://www.stidia.com
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
STIDIA S.A. - Luxembourg
e: dmitry.korzhevin at ...15907...
m: +38 093 874 5453
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4587 bytes
Desc: ���������������������������������� �������������� S/MIME
More information about the Snort-users