[Snort-users] Questions: Filtering ESP & Duplicate traffic

Jack Pepper pepperjack at ...14319...
Wed Mar 25 17:39:02 EDT 2009


Quoting Seth Art <sethsec at ...11827...>:

>> As far as filtering out things like ESP and VPN traffic, I see no  
>> reason to inspect it
>>  if it's encrypted.  (That's what encryption is for right? To make  
>> stuff unreadable?)

> This is what I was thinking, although the pitfall that Jason Haar
> mentions is exactly the one i was thinking of...  The "what if" at
> some point in the future an ESP based vulnerability is identified.  I
> worry that even though the VRT team releases sigs, I am blind to the
> attack until I yank those bpf filters out.

I have picked up many HTTPS bofs with this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg: "HTTPS overflow  
incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";  
nocase; classtype:trojan-activity;  sid: 2992007; rev:1;)

based on the idea that "what is the liklihood of an "A"-sled showing  
up in encrypted traffic".  It gets lots of hits, even now 3 years  
after the original OPENSSL defect was patched.

I would seem economical and reasonable to look for a sled of nops or  
As in ESP traffic, because it just shouldn't ever happen.

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list