[Snort-users] Re: VPN

Tom Vandepoel Tom.Vandepoel at ...271...
Mon Aug 7 11:33:51 EDT 2000

Eric Hacker wrote:
> Bob,
> The various VPN technologies use different ports and protocols.
> IPSec uses Protocols 50 and 51 for ESP and AH. I might have even
> gotten them in the right order, but don't count on it. ;-)
> Snort currently does not examine or record these protocols. If you
> really need to capture all traffic, then TCPDump (.org) or
> Ethereal (.com, but free) would do the trick. Though, since the
> traffic is encrypted, one can't do payload analysis on it anyway.
> If you are worried about people trying to attack these boxes, then
> monitoring with your current filters and observing the application
> logs should be sufficient.

Hmmm. But it still might be worthwhile being to flag things like ISAKMP
with hosts that are not known VPN peers. I'm seeing a lot of stuff like
that lately and I'm not sure if it's hostile or not...
Also, given the recently publicized weaknesses in fw-1, it would be
interesting to alert on FWZ traffic on a network that isn't using FWZ



Tom Vandepoel
Sr. Network Security Engineer

tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000807/9a635b56/attachment.bin>

More information about the Snort-users mailing list