[Snort-users] Detecting IPSEC traffic?
bmc at ...950...
Tue Nov 20 05:08:06 EST 2001
According to Zarathustra Ubermensch:
> Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I
> know I can pick up some of this communication by looking for IKE traffic on
> udp/500, but not all IPSEC traffic uses IKE.
> I basically just want to check for any IPSEC activity and don't really care
> about packet decodes. I'm interested in seeing who is attempting
> communication to certain resources on my LAN
alert ip any any <> any any (msg:"IPSEC TRAFFIC"; ip_proto:50;)
More information about the Snort-users