Snort mailing list archives
Re: Increase performance with filter or pass-rules
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 21 Nov 2003 16:56:11 +0100
Hi, It is probably the best way to exclude the specific traffic via the BPF-Filters. Especially with ESP. Using BPF filters to blend out the traffic using a specific port may make you not see if for ex. someone is using port 443 or 22 to transport data another than SSL and being not encrypted so you may have a chance to find something in it. There are few rules for SSH. An alert on then has, however never come my way. The ASN.1-Preprocessor has never made it to Snort 2.X I assume it has probably become nowadays irrelevant. Regards, Edin Martin Olsson schrieb:
I have a sensor that monitors a network where there's lots of VPN-traffic (esp). Esp is an encrypted protocol, so there's no point that snort looks for plaintext data within these packets. Can snort make a pass-rule for the esp protocol, or does it only support ip, udp, tcp and icmp? Related question: Is it a bad thing to use a bpf filter to exclude esp? Is it bad to filter out all tcp/22 and tcp/443 and other encrypted protocols? /Martin
-- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Increase performance with filter or pass-rules Martin Olsson (Nov 21)
- Re: Increase performance with filter or pass-rules Edin Dizdarevic (Nov 21)
- <Possible follow-ups>
- RE: Increase performance with filter or pass-rules SRH-Lists (Nov 21)