[Snort-users] Questions: Filtering ESP & Duplicate traffic

Jason Haar Jason.Haar at ...294...
Tue Mar 24 17:35:59 EDT 2009

Joel Esler wrote:
> As far as filtering out things like ESP and VPN traffic, I see no
> reason to inspect it if it's encrypted.  (That's what encryption is
> for right? To make stuff unreadable?)
That's what we do on our sensors. We monitor our (VPN-based) WAN links
with snort, and depending on where the SPAN is done (which depends on
switch type, VLANs and how good a job the network group do in
implementing it), may contain a fair chunk of IPSec/GRE traffic. So we
filter that out to save CPU cycles. Also, where network-based DMZ
backups are done, we filter out the backup apps ports as well - because
otherwise snort gets hammered dealing with all that extreme traffic.

Obviously there is always a price to pay: anything you filter out means
snort cannot detect an issue within that protocol. C'est la vie.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list