[Snort-users] Snort with IPSec

O'Flynn, Derek DOFlyn at ...6551...
Tue Nov 4 09:47:11 EST 2003


AFAIK not possible to do.  You could place your sensor behind the VPN device
so you could detect malicious information as it enters the network.

Derek

-----Original Message-----
From: Josh Berry [mailto:josh.berry at ...10221...] 
Sent: Tuesday, November 04, 2003 11:12 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort with IPSec

Are there any plugins for Snort, or is there any way with Snort, to
decrypt IPSec traffic and then analyze for malicious traffic (given that
snort has the key to decrypt with)?  Is there any reason this would be
impossible?

Sorry, I do not know enough about IPSec to understand whether this would
be possible or not, but it seems like it would be similar to ettercap's
ability to view SSL traffic when you have the certificate that is being
used.  If you could provide the IDS with the keys, would this be possible?


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031104/80cb679a/attachment.html>


More information about the Snort-users mailing list