[Snort-users] Detecting IPSEC traffic?
Ralf.Hildebrandt at ...3909...
Tue Nov 20 04:51:04 EST 2001
On Tue, Nov 20, 2001 at 07:05:35AM -0500, Zarathustra Ubermensch wrote:
> Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I
> know I can pick up some of this communication by looking for IKE traffic on
> udp/500, but not all IPSEC traffic uses IKE.
According to the docs:
The next field in a rule is the protocol. There are four Protocols that
Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip.
In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc.
Ralf Hildebrandt Tel. +49 (0)30-450 570-155
Fax. +49 (0)30-450 570-916
If Bill Gates had a dime for every time a Windows box crashed...
...Oh, wait a minute, he already does.
More information about the Snort-users