Snort mailing list archives

Re: Detecting IPSEC traffic?

From: Brian <bmc () snort org>
Date: Tue, 20 Nov 2001 08:09:11 -0500

According to Zarathustra Ubermensch:

Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I 
know I can pick up some of this communication by looking for IKE traffic on 
udp/500, but not all IPSEC traffic uses IKE.

I basically just want to check for any IPSEC activity and don't really care 
about packet decodes. I'm interested in seeing who is attempting 
communication to certain resources on my LAN


alert ip any any <> any any (msg:"IPSEC TRAFFIC"; ip_proto:50;)

-brian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Detecting IPSEC traffic? Zarathustra Ubermensch (Nov 20)
- Re: Detecting IPSEC traffic? Ralf Hildebrandt (Nov 20)
- Re: Detecting IPSEC traffic? Brian (Nov 20)