Snort mailing list archives
Re: Snort with IPSec
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 04 Nov 2003 14:46:20 -0500
At 12:11 PM 11/4/2003, Josh Berry wrote:
Are there any plugins for Snort, or is there any way with Snort, to decrypt IPSec traffic and then analyze for malicious traffic (given that snort has the key to decrypt with)? Is there any reason this would be impossible?
Well, in IPSec the key is usually based on a DH exchange and is rekeyed every so often... Well, any ipsec that wasn't implemented very poorly is done that way.
Having the DH keys can make it possible to deduce the encryption key based on the key exchange, but you have to actually observer the ISAKMP exchange to know it, you won't be able to "hop into the middle" and figure it out.
If you've got an ipsec setup that uses a hard-coded encryption key for the ESP layer which never changes, it is theoretically possible to decrypt and snort the traffic at pretty much any point in the stream. However, this kind of ipsec setup is fairly low security (you'll eventually hit an IV rollover, and that makes cryptanalysis by an attacker much easier. Read the papers on WEP attacks to get some idea of what happens when the IV rolls over)
However, I don't know of any plugins that are intended to help snort decrypt ipsec.
You might be able to make your snort box into an ipsec gateway, and have the ipsec tunnels terminate at it, instead of merely pass through it. I'm not sure how ipsec works on *bsd or free s/wan, but it might do a conversion to an ethernet type interface post-decode which could then be snorted.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with IPSec Josh Berry (Nov 04)
- Re: Snort with IPSec Chris Green (Nov 04)
- Re: Snort with IPSec Josh Berry (Nov 04)
- Re: Snort with IPSec Frank Knobbe (Nov 04)
- Re: Snort with IPSec Josh Berry (Nov 05)
- Re: Snort with IPSec Ravi Kumar (Nov 05)
- Re: Snort with IPSec Josh Berry (Nov 04)
- Re: Snort with IPSec Chris Green (Nov 04)
- Message not available
- Re: Snort with IPSec Matt Kettler (Nov 04)
- <Possible follow-ups>
- RE: Snort with IPSec O'Flynn, Derek (Nov 04)
- Re: Snort with IPSec Mark . Schutzmann (Nov 04)
- Re: Snort with IPSec Josh Berry (Nov 04)
- Re: Snort with IPSec Jason Haar (Nov 04)
- Re: Snort with IPSec Josh Berry (Nov 04)