Snort mailing list archives
Re: Signature for IPSec encrypted VPN tunnel
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 03 Mar 2003 17:44:15 -0500
Well, one REALLY simple way to do this is look for esp/ip or ah/ip type packets. These are IP protocols 50 and 51 respectively. No non-ipsec traffic will generate these.
IPSec does not use normal tcp/ip or udp/ip (note: ISAKMP does use udp, but that only applies if they are doing dynamic key exchange).
Unfortunately snort currently doesn't understand the idea of protocols other than ip, tcp, udp or arp. It would be nice to be able to do something like:
alert ip any any -> any any (transportprotocol:50; msg:"Ipsec ESP data";) alert ip any any -> any any (transportprotocol:51; msg:"Ipsec AH data";)In theory, if you specify the transport protocol by number, and limit yourself to the IP layer, it shouldn't be hard for snort to support stuff like this, but it currently does not (at least, not to my knowledge). It would however be a GREAT way to shim in some minimal processing of transport layer protocols other than tcp or udp by examining them at the IP layer and constricting it to that transport protocol.... you wouldn't have built-in parsing of the fields in that header, but it's better than nothing.
Actually, with a bit of thinking about depth and offset, might be able to fake this rule... the protocol is the 10th byte of the IP layer header..
alert ip any any -> any any (content"|32|";depth:0; offset:10; msg:"Ipsec ESP data";)
Anyone have any feedback on this rule attempting to check for the hex byte 0x32 (aka 50) at an offset from 10 bytes from the start of the IP header? or does snort calculate the offset from the start of the data instead of the header, making this not work?
At 01:28 PM 2/28/2003 +1100, you wrote:
Hi All,Does anyone know that how to create a signature for IPSec encrypted VPN tunnel i.e authentication using cryptographic hashes such as SHA and MD5 ? or and IDS currently have that feature?Thanks in advance Nguyen<http://au.rd.yahoo.com/mail/tagline/?http://http://au.mobile.yahoo.com/sms/msgr/>Yahoo! Mobile - Exchange IMs with Messenger friends on your Telstra or Vodafone mobile phone.
-------------------------------------------------------This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature for IPSec encrypted VPN tunnel NTD (Feb 28)
- Re: Signature for IPSec encrypted VPN tunnel Brian (Mar 01)
- Re: Signature for IPSec encrypted VPN tunnel Matt Kettler (Mar 03)
- Re: Signature for IPSec encrypted VPN tunnel Brian (Mar 04)