Snort mailing list archives
Re: Questions: Filtering ESP & Duplicate traffic
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 25 Mar 2009 10:35:59 +1300
Joel Esler wrote:
As far as filtering out things like ESP and VPN traffic, I see no reason to inspect it if it's encrypted. (That's what encryption is for right? To make stuff unreadable?)
That's what we do on our sensors. We monitor our (VPN-based) WAN links with snort, and depending on where the SPAN is done (which depends on switch type, VLANs and how good a job the network group do in implementing it), may contain a fair chunk of IPSec/GRE traffic. So we filter that out to save CPU cycles. Also, where network-based DMZ backups are done, we filter out the backup apps ports as well - because otherwise snort gets hammered dealing with all that extreme traffic. Obviously there is always a price to pay: anything you filter out means snort cannot detect an issue within that protocol. C'est la vie. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jack Pepper (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)