Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Signature for IPSec encrypted VPN tunnel

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 03 Mar 2003 17:44:15 -0500
Well, one REALLY simple way to do this is look for esp/ip or ah/ip type packets. These are IP protocols 50 and 51 respectively. No non-ipsec traffic will generate these.
IPSec does not use normal tcp/ip or udp/ip (note: ISAKMP does use udp, but that only applies if they are doing dynamic key exchange).
Unfortunately snort currently doesn't understand the idea of protocols other than ip, tcp, udp or arp. It would be nice to be able to do something like: 

alert ip any any -> any any (transportprotocol:50; msg:"Ipsec ESP data";)
alert ip any any -> any any (transportprotocol:51; msg:"Ipsec AH data";)
In theory, if you specify the transport protocol by number, and limit yourself to the IP layer, it shouldn't be hard for snort to support stuff like this, but it currently does not (at least, not to my knowledge). It would however be a GREAT way to shim in some minimal processing of transport layer protocols other than tcp or udp by examining them at the IP layer and constricting it to that transport protocol.... you wouldn't have built-in parsing of the fields in that header, but it's better than nothing.
Actually, with a bit of thinking about depth and offset, might be able to fake this rule... the protocol is the 10th byte of the IP layer header..
alert ip any any -> any any (content"|32|";depth:0; offset:10; msg:"Ipsec ESP data";)
Anyone have any feedback on this rule attempting to check for the hex byte 0x32 (aka 50) at an offset from 10 bytes from the start of the IP header? or does snort calculate the offset from the start of the data instead of the header, making this not work? 



At 01:28 PM 2/28/2003 +1100, you wrote:


Hi All,
Does anyone know that how to create a signature for IPSec encrypted VPN tunnel i.e authentication using cryptographic hashes such as SHA and MD5 ? or and IDS currently have that feature? 



Thanks in advance

Nguyen
<http://au.rd.yahoo.com/mail/tagline/?http://http://au.mobile.yahoo.com/sms/msgr/>Yahoo! Mobile - Exchange IMs with Messenger friends on your Telstra or Vodafone mobile phone. 



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: