[Snort-users] Questions: Filtering ESP & Duplicate traffic

Seth Art sethsec at ...11827...
Tue Mar 24 14:58:54 EDT 2009

1) Can anyone think of an argument against filtering out ESP and AH
(IPSEC VPN) traffic entirely by using BPF filters?  It does not look
like any current signatures detect attacks on either protocol (I could
be wrong here), and as most of you know, this traffic is encrypted.

2) Often I come across sensors that are receiving traffic (usually via
SPAN) from BOTH the inside (LAN) and outside (WAN).  In this case
snort sees *most* packets twice:  Once from the outside feed with your
WAN IP (most likely a HIDE NAT, PAT, etc), and then again from the
inside feed with an internal address (usually RFC 1918).

My question -- Aside from the additional throughput, is this actually bad?

It seems that the best solution would require two separate sensors, or
at a minimum two instances of snort running on the same hardware (one
configured for the inside and one for the outside).

But is this required?

If you configure your home net to include both your public IP range
AND your RFC 1918 range, will one instance of snort be able to tell
handle both feeds without an issue?



More information about the Snort-users mailing list