Re: Increase performance with filter or pass-rules

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

It is probably the best way to exclude the specific traffic via the
BPF-Filters. Especially with ESP. Using BPF filters to blend out
the traffic using a specific port may make you not see if for ex.
someone is using port 443 or 22 to transport data another than SSL
and being not encrypted so you may have a chance to find something
in it.

There are few rules for SSH. An alert on then has, however never come
my way.

The ASN.1-Preprocessor has never made it to Snort 2.X I assume it has
probably become nowadays irrelevant.

Regards,
Edin

Martin Olsson schrieb:

> I have a sensor that monitors a network where there's lots of
> VPN-traffic (esp).
>
> Esp is an encrypted protocol, so there's no point that snort looks
> for plaintext data within these packets.
>
> Can snort make a pass-rule for the esp protocol, or does it only
> support ip, udp, tcp and icmp?
>
>
> Related question: Is it a bad thing to use a bpf filter to exclude
> esp? Is it bad to filter out all tcp/22 and tcp/443 and other
> encrypted protocols?
>
> /Martin

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users