Snort on IKEv2 IPsec Interface ( enc0 )


  • Galactic Empire

    Is it possible to get Snort to see the the IKEv2 IPsec interface ( enc0 ), there's probaly a very good reason why you can't :)

    2018-04-16

    21:08:08 1 TCP Potential Corporate Privacy Violation 216.239.32.21 443 WAN-IP 32926 1:2025330

    ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)

    I can see the above alert / block on the WAN interface but that doesn't give me the VPN client IP address when I try and browse https://www.ipinfo.io/ from my iDevice when vpnd in over 4G.

    From the LAN it's fine.

    2018-04-16

    21:15:25 1 TCP Potential Corporate Privacy Violation 216.239.38.21 n443 172.16.2.20 65487 1:2025330

    ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)



  • Remember that when running on the WAN interface, Snort is seeing packets before the NAT is "undone".  This means Snort sees only your WAN IP for any host that is local.  With a VPN, looking from the Internet side, everything is coming and going via your WAN IP (meaning your WAN IP is the SRC/DST for the packets with your VPN traffic embedded).  Once past Snort and into the pf firewall, then NAT is undone and VPN rules are applied.  But Snort can't see the traffic then.

    On the LAN side, Snort sees traffic before NAT is applied (for outbound traffic) and after NAT is removed (for inbound traffic), so it can see the actual local host IP address be that on the LAN or VPN.

    Bill


  • Galactic Empire

    Thanks for the prompt reply Bill :)

    I mentioned the enc0 interface as you can do a packet capture and see unencrypted traffic from the VPN client via tcpdump.

    [2.4.3-RELEASE][admin@pfsense.xxxxxxxxxx.net]/root: tcpdump -i enc0
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
    08:38:49.508431 (authentic,confidential): SPI 0xcb4900c7: IP 172.16.9.3.62644 > pfsense.xxxxxxxxxx.net.domain: 62+ A? www.apple.com. (31)
    08:38:49.508533 (authentic,confidential): SPI 0xcb4900c7: IP 172.16.9.3.55246 > pfsense.xxxxxxxxxx.net.domain: 48200+ A? apple.com. (27)
    08:38:49.508604 (authentic,confidential): SPI 0xcb4900c7: IP 172.16.9.3.61700 > pfsense.xxxxxxxxxx.net.domain: 60069+ A? gateway.icloud.com. (36)
    08:38:49.508671 (authentic,confidential): SPI 0xcb4900c7: IP 172.16.9.3.59659 > pfsense.xxxxxxxxxx.net.domain: 32698+ A? www.icloud.com. (32)
    08:38:49.508730 (authentic,confidential): SPI 0x0db585ec: IP pfsense.xxxxxxxxxx.net.domain > 172.16.9.3.55246: 48200 3/8/12 A 17.172.224.47, A 17.178.96.59, A 17.142.160.59 (460)
    08:38:49.509125 (authentic,confidential): SPI 0x0db585ec: IP pfsense.xxxxxxxxxx.net.domain > 172.16.9.3.61700: 60069 9/4/0 CNAME gateway.fe.apple-dns.net., A 17.248.144.180, A 17.248.144.89, A 17.248.144.49, A 17.248.144.86, A 17.248.144.152, A 17.248.144.85, A 17.248.144.91, A 17.248.144.92 (336)
    08:38:49.516628 (authentic,confidential): SPI 0xcb4900c7: IP 172.16.9.3.61275 > pfsense.xxxxxxxxxx.net.domain: 40342+ A? metrics.icloud.com. (36)
    

    172.16.9.3  = my iPhone

    https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4&manpath=FreeBSD+7.1-RELEASE

    I just wonder if snort was to enumerate enc0 as a valid interface I'd be able to alert / block IP addresses handed out to my IKEv2 clients.