Re: Snort and OpenVPN

[Dmitry Korzhevin <dmitry.korzhevin () stidia com>]

Hi, Kevin

This is same server. So, snort and openvpn(server part) is installed at 
once. When i run snort like:

'snort -dev -i tun0' i see unencrypted traffic, because this server is 
endpoint of openvpn and users internal ip's fomr openvpn subnet. But, 
with current config i can't see any info from openvpn intefaces (tun*) 
in my database/web frontend - snorby.

Seems something wrong with my config (snort.conf)..



04.02.2014 14:44, Kevin Ross пишет:
> Without knowing your setup I imagine you are trying to have snort
> inspect encrypted VPN traffic which it cannot do. I would suggest
> playing Snort to detect traffic on interfaces that the traffic must pass
> through when on your internal network and it is unencrypted (i.e in a
> typical enterprise deployment this would be somewhere behind the VPN
> concentrator before it is encrypted or after it is decrypted).
>
> Regards,
> Kevin
>
>
> On 4 February 2014 10:27, Dmitry Korzhevin <dmitry.korzhevin () stidia com
> <mailto:dmitry.korzhevin () stidia com>> wrote:
>
>     Hi, Please, advice - what i did wrong with configuration of my snort
>     install - i can't see any openvpn traffic with my current snort
>     config, thru i can see regular traffic, pptp, ipsec.
>
>     Snort installed on one server together with openvpn, openvpn has 3
>     interfaces: tun0, tun1, tun2.
>
>     If i run snort manually and use tun* as parameter for interface - it
>     works, and i can see traffic in console.
>
>     i.e.:  snort -dev -i tun0
>
>     Maby some problems with configuration of interfaces?
>
>     My current config:
>
>     # Setup the network addresses you are protecting
>     ipvar HOME_NET any
>
>     # Set up the external network addresses. Leave as "any" in most
>     situations
>     ipvar EXTERNAL_NET any
>
>     Whole snort.conf:
>
>     http://paste.debian.net/plain/__80076
>     <http://paste.debian.net/plain/80076>
>
>
>
>
>     Best Regards,
>     Dmitry
>
>     ---
>     Dmitry KORZHEVIN
>     System Administrator
>     STIDIA S.A. - Luxembourg
>
>     e: dmitry.korzhevin () stidia com <mailto:dmitry.korzhevin () stidia com>
>     m: +38 093 874 5453 <tel:%2B38%20093%20874%205453>
>     w: http://www.stidia.com
>
>
>     ------------------------------------------------------------------------------
>     Managing the Performance of Cloud-Based Applications
>     Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>     Read the Whitepaper.
>     http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the latest
>     Snort news!

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin () stidia com
m: +38 093 874 5453
w: http://www.stidia.com

Attachment: smime.p7s
Description: Криптографическая подпись S/MIME

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!