[Snort-users] Snort and OpenVPN

Dmitry Korzhevin dmitry.korzhevin at ...15907...
Tue Feb 4 08:22:53 EST 2014


Hi,

I will answer, as I am topicstarter ;)

I use Snort Version 2.9.5.6 GRE (Build 208) on Debian 6 x86_64

Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7

Sample output of snort -dev -i tun0:

http://dpaste.com/1585135/

And output with -k none:

http://dpaste.com/1585136/



04.02.2014 15:07, rmkml пишет:
> Hi Kevin,
>
> What's snort version you use please ?
>
> What's ouptut when you run snort with: snort -dev -i tun0 ?
>
> Could you test by adding "-k none" on snort cmd line please ?
>
> Regards
> @Rmkml
>
>
>
> On Tue, 4 Feb 2014, Dmitry Korzhevin wrote:
>
>> Hi, Kevin
>>
>> This is same server. So, snort and openvpn(server part) is installed
>> at once. When i run snort like:
>>
>> 'snort -dev -i tun0' i see unencrypted traffic, because this server is
>> endpoint of openvpn and users internal ip's fomr openvpn subnet. But,
>> with current config i can't see any info from openvpn intefaces (tun*)
>> in my database/web frontend - snorby.
>>
>> Seems something wrong with my config (snort.conf)..
>>
>>
>>
>> 04.02.2014 14:44, Kevin Ross ?????:
>>> Without knowing your setup I imagine you are trying to have snort
>>> inspect encrypted VPN traffic which it cannot do. I would suggest
>>> playing Snort to detect traffic on interfaces that the traffic must pass
>>> through when on your internal network and it is unencrypted (i.e in a
>>> typical enterprise deployment this would be somewhere behind the VPN
>>> concentrator before it is encrypted or after it is decrypted).
>>>
>>> Regards,
>>> Kevin
>>>
>>>
>>> On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin at ...15907...
>>> <mailto:dmitry.korzhevin at ...15907...>> wrote:
>>>
>>>     Hi, Please, advice - what i did wrong with configuration of my snort
>>>     install - i can't see any openvpn traffic with my current snort
>>>     config, thru i can see regular traffic, pptp, ipsec.
>>>
>>>     Snort installed on one server together with openvpn, openvpn has 3
>>>     interfaces: tun0, tun1, tun2.
>>>
>>>     If i run snort manually and use tun* as parameter for interface - it
>>>     works, and i can see traffic in console.
>>>
>>>     i.e.:  snort -dev -i tun0
>>>
>>>     Maby some problems with configuration of interfaces?
>>>
>>>     My current config:
>>>
>>>     # Setup the network addresses you are protecting
>>>     ipvar HOME_NET any
>>>
>>>     # Set up the external network addresses. Leave as "any" in most
>>>     situations
>>>     ipvar EXTERNAL_NET any
>>>
>>>     Whole snort.conf:
>>>
>>>     http://paste.debian.net/plain/__80076
>>>     <http://paste.debian.net/plain/80076>
>>>
>>>
>>>
>>>
>>>     Best Regards,
>>>     Dmitry
>>>
>>>     ---
>>>     Dmitry KORZHEVIN
>>>     System Administrator
>>>     STIDIA S.A. - Luxembourg
>>>
>>>     e: dmitry.korzhevin at ...15907... <mailto:dmitry.korzhevin at ...15909....>
>>>     m: +38 093 874 5453 <tel:%2B38%20093%20874%205453>
>>>     w: http://www.stidia.com
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>     Managing the Performance of Cloud-Based Applications
>>>     Take advantage of what the Cloud has to offer - Avoid Common
>>> Pitfalls.
>>>     Read the Whitepaper.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>>>
>>>     _______________________________________________
>>>     Snort-users mailing list
>>>     Snort-users at lists.sourceforge.net
>>>     <mailto:Snort-users at lists.sourceforge.net>
>>>     Go to this URL to change user options or unsubscribe:
>>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>>     Snort-users list archive:
>>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>>     Please visit http://blog.snort.org to stay current on all the latest
>>>     Snort news!
>>>
>>>
>>
>> Best Regards,
>> Dmitry
>>
>> ---
>> Dmitry KORZHEVIN
>> System Administrator
>> STIDIA S.A. - Luxembourg
>>
>> e: dmitry.korzhevin at ...15907...
>> m: +38 093 874 5453
>> w: http://www.stidia.com
>>
>>

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at ...15907...
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4587 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140204/184872ad/attachment.bin>


More information about the Snort-users mailing list