[Snort-sigs] RE: IPSec and IDS

Coochey, Giles g.coochey at ...138...
Sat Aug 10 08:09:01 EDT 2002

> From: Coretez Giovanni [mailto:coretez at ...743...]
> Sent: 09 August 2002 16:44
> To: focus-ids at ...744...
> Subject: RE: IPSec and IDS
> First, because IPSEC 2401 is type oriented (IP Type 50), Snort and other
> TCP/UDP/ICMP oriented IDS will not even see the traffic.  They will only
> see the key exchanges (the UDP 500).  So if a hacker is using this instead
> of ssh he may be able to keep his traffic extremely hidden from IDS
> monitoring.

Draft Custom Snort Signature Ruleset for IPsec/ISAKMP:

pass ip $VPN_SERVER any -> any any (msg:"ESP from VPN server is
pass ip any any -> $VPN_SERVER any (msg:"ESP to VPN server is
alert ip !$HOME_NET any -> $HOME_NET any (msg:"ESP traffic
alert udp !$VPN_SERVER any -> !$VPN_SERVER 500 (msg:"ISAKMP Key

Ensure you have esp defined in /etc/protocols. Your source and destination
criteria may vary depending on your policy.

As IPsec is usually gateway-gateway or gateway-system it's actually quite
easy to check for un-authorised IPsec traffic on networks with snort, when
the policy dictates for it.

However, I'm not certain, but those rules may be particularly processor
intensive for snort, although I've heard that it still performs reasonable
under those conditions. I have not tested them as yet, but I imagine they
should work.


Giles Coochey

More information about the Snort-sigs mailing list