[Snort-users] Increase performance with filter or pass-rules

Martin Olsson elof at ...6680...
Fri Nov 21 06:50:11 EST 2003

I have a sensor that monitors a network where there's lots of VPN-traffic (esp).

Esp is an encrypted protocol, so there's no point that snort looks for
plaintext data within these packets.

Can snort make a pass-rule for the esp protocol, or does it only support
ip, udp, tcp and icmp?

Related question:
Is it a bad thing to use a bpf filter to exclude esp?
Is it bad to filter out all tcp/22 and tcp/443 and other encrypted


More information about the Snort-users mailing list