Snort mailing list archives
RE: Increase performance with filter or pass-rules
From: SRH-Lists <giermo () 333tech com>
Date: Fri, 21 Nov 2003 09:34:37 -0600
I have a sensor that monitors a network where there's lots of VPN-traffic (esp). Esp is an encrypted protocol, so there's no point that snort looks for plaintext data within these packets. Can snort make a pass-rule for the esp protocol, or does it only support ip, udp, tcp and icmp? Related question: Is it a bad thing to use a bpf filter to exclude esp? Is it bad to filter out all tcp/22 and tcp/443 and other encrypted protocols? /Martin
Short Answer: Use a bpf. Longer answer: Just because the data in a protocol is encrypted doesn't mean that snort can't detect "bad things". Witness the several SSH exploits that snort can detect. -steve ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Increase performance with filter or pass-rules Martin Olsson (Nov 21)
- Re: Increase performance with filter or pass-rules Edin Dizdarevic (Nov 21)
- <Possible follow-ups>
- RE: Increase performance with filter or pass-rules SRH-Lists (Nov 21)