[Snort-users] Questions: Filtering ESP & Duplicate traffic

Seth Art sethsec at ...11827...
Wed Mar 25 17:13:34 EDT 2009


Thanks guys.

>Only if your EXTERNAL_NET is set to any or you do not care about
> attacks from HOME_NET to HOME_NET. Best solution is separately
> configured detection.

I definitely agree that separately configured detection is best, but
am glad to have confirmation that this is not an egregious
misconfiguration that would somehow hamper detection capabilities.
Thanks!

> As far as filtering out things like ESP and VPN traffic, I see no reason to inspect it
>  if it's encrypted.  (That's what encryption is for right? To make stuff unreadable?)

> I welcome a discussion on that issue.

This is what I was thinking, although the pitfall that Jason Haar
mentions is exactly the one i was thinking of...  The "what if" at
some point in the future an ESP based vulnerability is identified.  I
worry that even though the VRT team releases sigs, I am blind to the
attack until I yank those bpf filters out.

Again, like Jason, I think the benefits of filtering out ESP traffic
outweigh the risk, but it always helps to get community
confirmation/discussion on such things.

-Seth




More information about the Snort-users mailing list