[Snort-users] Increase performance with filter or pass-rules

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri Nov 21 07:57:05 EST 2003


It is probably the best way to exclude the specific traffic via the
BPF-Filters. Especially with ESP. Using BPF filters to blend out
the traffic using a specific port may make you not see if for ex.
someone is using port 443 or 22 to transport data another than SSL
and being not encrypted so you may have a chance to find something
in it.

There are few rules for SSH. An alert on then has, however never come
my way.

The ASN.1-Preprocessor has never made it to Snort 2.X I assume it has
probably become nowadays irrelevant.


Martin Olsson schrieb:

> I have a sensor that monitors a network where there's lots of
> VPN-traffic (esp).
> Esp is an encrypted protocol, so there's no point that snort looks
> for plaintext data within these packets.
> Can snort make a pass-rule for the esp protocol, or does it only
> support ip, udp, tcp and icmp?
> Related question: Is it a bad thing to use a bpf filter to exclude
> esp? Is it bad to filter out all tcp/22 and tcp/443 and other
> encrypted protocols?
> /Martin

Edin Dizdarevic

More information about the Snort-users mailing list