Snort mailing list archives
Re: Detecting IPSEC traffic?
From: Brian <bmc () snort org>
Date: Tue, 20 Nov 2001 08:09:11 -0500
According to Zarathustra Ubermensch:
Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I know I can pick up some of this communication by looking for IKE traffic on udp/500, but not all IPSEC traffic uses IKE. I basically just want to check for any IPSEC activity and don't really care about packet decodes. I'm interested in seeing who is attempting communication to certain resources on my LAN
alert ip any any <> any any (msg:"IPSEC TRAFFIC"; ip_proto:50;) -brian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting IPSEC traffic? Zarathustra Ubermensch (Nov 20)
- Re: Detecting IPSEC traffic? Ralf Hildebrandt (Nov 20)
- Re: Detecting IPSEC traffic? Brian (Nov 20)