[Snort-users] VPN traffic

Eric Hacker hacker at ...251...
Fri Aug 4 08:20:06 EDT 2000


The various VPN technologies use different ports and protocols.
IPSec uses Protocols 50 and 51 for ESP and AH. I might have even
gotten them in the right order, but don't count on it. ;-)

Snort currently does not examine or record these protocols. If you
really need to capture all traffic, then TCPDump (.org) or
Ethereal (.com, but free) would do the trick. Though, since the
traffic is encrypted, one can't do payload analysis on it anyway.

If you are worried about people trying to attack these boxes, then
monitoring with your current filters and observing the application
logs should be sufficient.

Eric Hacker
Network Systems Engineer, Security Practice
Lucent Technologies NetworkCare Professional Services
"Long gone are the days when one's surname referred to the role
one had in the community."

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob
Sent: Tuesday, August 01, 2000 5:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] VPN traffic

I'm running a test of some VPN boxes from www.netscreen.com

I want to monitor all/any traffic going to/from these boxes,
so I added rules:

alert UDP any -> any any (msg: "NS10 Outbound
Traffic"; )
alert UDP any any -> any (msg: "NS10 Inbound
Traffic"; )

alert TCP any -> any any (msg: "NS10 Outbound
Traffic"; )
alert TCP any any -> any (msg: "NS10 Inbound
Traffic"; )

alert ICMP any -> any any (msg: "NS10 Outbound
Traffic"; )
alert ICMP any any -> any (msg: "NS10 Inbound
Traffic"; )

Two questions:

 - Is there a way to say "any" for the protocol?

 - The VPN traffic is not logged, what protocol does it use?

><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list