[Snort-users] Questions: Filtering ESP & Duplicate traffic

Joel Esler eslerj at ...11827...
Tue Mar 24 16:05:14 EDT 2009

Snort can handle it (as far as HOME_NET tuning is going), and will handle it
just fine.  Usually I've seen people put a sensor in the DMZ, and a sensor
inside the firewall.  The HOME_NET for the DMZ sensor set to the DMZ IP
range, and the HOME_NET inside the firewall set to all the 1918 addresses.
As far as filtering out things like ESP and VPN traffic, I see no reason to
inspect it if it's encrypted.  (That's what encryption is for right? To make
stuff unreadable?)

I welcome a discussion on that issue.


On Tue, Mar 24, 2009 at 2:58 PM, Seth Art <sethsec at ...11827...> wrote:

> 1) Can anyone think of an argument against filtering out ESP and AH
> (IPSEC VPN) traffic entirely by using BPF filters?  It does not look
> like any current signatures detect attacks on either protocol (I could
> be wrong here), and as most of you know, this traffic is encrypted.
> 2) Often I come across sensors that are receiving traffic (usually via
> SPAN) from BOTH the inside (LAN) and outside (WAN).  In this case
> snort sees *most* packets twice:  Once from the outside feed with your
> WAN IP (most likely a HIDE NAT, PAT, etc), and then again from the
> inside feed with an internal address (usually RFC 1918).
> My question -- Aside from the additional throughput, is this actually bad?
> It seems that the best solution would require two separate sensors, or
> at a minimum two instances of snort running on the same hardware (one
> configured for the inside and one for the outside).
> But is this required?
> If you configure your home net to include both your public IP range
> AND your RFC 1918 range, will one instance of snort be able to tell
> handle both feeds without an issue?
> Thanks,
> Seth
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090324/76bf3d0e/attachment.html>

More information about the Snort-users mailing list