[Snort-users] Detecting IPSEC traffic?

Brian bmc at ...950...
Tue Nov 20 05:08:06 EST 2001


According to Zarathustra Ubermensch:
> Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I 
> know I can pick up some of this communication by looking for IKE traffic on 
> udp/500, but not all IPSEC traffic uses IKE.
> 
> I basically just want to check for any IPSEC activity and don't really care 
> about packet decodes. I'm interested in seeing who is attempting 
> communication to certain resources on my LAN

alert ip any any <> any any (msg:"IPSEC TRAFFIC"; ip_proto:50;)

-brian





More information about the Snort-users mailing list