[Snort-users] Detecting IPSEC traffic?

Ralf Hildebrandt Ralf.Hildebrandt at ...3909...
Tue Nov 20 04:51:04 EST 2001


On Tue, Nov 20, 2001 at 07:05:35AM -0500, Zarathustra Ubermensch wrote:

> Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I 
> know I can pick up some of this communication by looking for IKE traffic on 
> udp/500, but not all IPSEC traffic uses IKE.

Yup.
According to the docs:

2.2.2  Protocols
 
The next field in a rule is the protocol. There are four Protocols that
Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip.
In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. 

-- 
Ralf Hildebrandt                            Tel.  +49 (0)30-450 570-155
                                            Fax.  +49 (0)30-450 570-916
If Bill Gates had a dime for every time a Windows box crashed...
                ...Oh, wait a minute, he already does.





More information about the Snort-users mailing list