[Snort-users] Re: VPN
Tom.Vandepoel at ...271...
Mon Aug 7 11:33:51 EDT 2000
Eric Hacker wrote:
> The various VPN technologies use different ports and protocols.
> IPSec uses Protocols 50 and 51 for ESP and AH. I might have even
> gotten them in the right order, but don't count on it. ;-)
> Snort currently does not examine or record these protocols. If you
> really need to capture all traffic, then TCPDump (.org) or
> Ethereal (.com, but free) would do the trick. Though, since the
> traffic is encrypted, one can't do payload analysis on it anyway.
> If you are worried about people trying to attack these boxes, then
> monitoring with your current filters and observing the application
> logs should be sufficient.
Hmmm. But it still might be worthwhile being to flag things like ISAKMP
with hosts that are not known VPN peers. I'm seeing a lot of stuff like
that lately and I'm not sure if it's hostile or not...
Also, given the recently publicized weaknesses in fw-1, it would be
interesting to alert on FWZ traffic on a network that isn't using FWZ
Sr. Network Security Engineer
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
More information about the Snort-users