[Snort-users] Snort with IPSec

Matt Kettler mkettler at ...4108...
Tue Nov 4 11:46:07 EST 2003

At 12:11 PM 11/4/2003, Josh Berry wrote:
>Are there any plugins for Snort, or is there any way with Snort, to
>decrypt IPSec traffic and then analyze for malicious traffic (given that
>snort has the key to decrypt with)?  Is there any reason this would be

Well, in IPSec the key is usually based on a DH exchange and is rekeyed 
every so often... Well, any ipsec that wasn't implemented very poorly is 
done that way.

  Having the DH keys can make it possible to deduce the encryption key 
based on the key exchange, but you have to actually observer the ISAKMP 
exchange to know it, you won't be able to "hop into the middle" and figure 
it out.

If you've got an ipsec setup that uses a hard-coded encryption key for the 
ESP layer which never changes, it is theoretically possible to decrypt and 
snort the traffic at pretty much any point in the stream. However, this 
kind of ipsec setup is fairly low security (you'll eventually hit an IV 
rollover, and that makes cryptanalysis by an attacker much easier. Read the 
papers on WEP attacks to get some idea of what happens when the IV rolls over)

However, I don't know of any plugins that are intended to help snort 
decrypt ipsec.

You might be able to make your snort box into an ipsec gateway, and have 
the ipsec tunnels terminate at it, instead of merely pass through it. I'm 
not sure how ipsec works on *bsd or free s/wan, but it might do a 
conversion to an ethernet type interface post-decode which could then be 

More information about the Snort-users mailing list