[Snort-users] Increase performance with filter or pass-rules
giermo at ...8381...
Fri Nov 21 07:35:11 EST 2003
> I have a sensor that monitors a network where there's lots of
> VPN-traffic (esp).
> Esp is an encrypted protocol, so there's no point that snort looks for
> plaintext data within these packets.
> Can snort make a pass-rule for the esp protocol, or does it
> only support
> ip, udp, tcp and icmp?
> Related question:
> Is it a bad thing to use a bpf filter to exclude esp?
> Is it bad to filter out all tcp/22 and tcp/443 and other encrypted
Short Answer: Use a bpf.
Longer answer: Just because the data in a protocol is encrypted doesn't
mean that snort can't detect "bad things".
Witness the several SSH exploits that snort can detect.
More information about the Snort-users