Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Increase performance with filter or pass-rules

From: SRH-Lists <giermo () 333tech com>
Date: Fri, 21 Nov 2003 09:34:37 -0600
I have a sensor that monitors a network where there's lots of 
VPN-traffic (esp).

Esp is an encrypted protocol, so there's no point that snort looks for
plaintext data within these packets.

Can snort make a pass-rule for the esp protocol, or does it 
only support
ip, udp, tcp and icmp?


Related question:
Is it a bad thing to use a bpf filter to exclude esp?
Is it bad to filter out all tcp/22 and tcp/443 and other encrypted
protocols?

/Martin


Short Answer:  Use a bpf.

Longer answer:  Just because the data in a protocol is encrypted doesn't
mean that snort can't detect "bad things".
Witness the several SSH exploits that snort can detect.

-steve


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: