[Snort-users] Increase performance with filter or pass-rules

SRH-Lists giermo at ...8381...
Fri Nov 21 07:35:11 EST 2003


> I have a sensor that monitors a network where there's lots of 
> VPN-traffic (esp).
> 
> Esp is an encrypted protocol, so there's no point that snort looks for
> plaintext data within these packets.
> 
> Can snort make a pass-rule for the esp protocol, or does it 
> only support
> ip, udp, tcp and icmp?
> 
> 
> Related question:
> Is it a bad thing to use a bpf filter to exclude esp?
> Is it bad to filter out all tcp/22 and tcp/443 and other encrypted
> protocols?
> 
> /Martin

Short Answer:  Use a bpf.

Longer answer:  Just because the data in a protocol is encrypted doesn't
mean that snort can't detect "bad things".
Witness the several SSH exploits that snort can detect.

-steve




More information about the Snort-users mailing list