Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort with IPSec

From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Tue, 4 Nov 2003 11:46:00 -0600
AFAIK not possible to do.  You could place your sensor behind the VPN device
so you could detect malicious information as it enters the network.

Derek

-----Original Message-----
From: Josh Berry [mailto:josh.berry () netschematics com] 
Sent: Tuesday, November 04, 2003 11:12 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort with IPSec

Are there any plugins for Snort, or is there any way with Snort, to
decrypt IPSec traffic and then analyze for malicious traffic (given that
snort has the key to decrypt with)?  Is there any reason this would be
impossible?

Sorry, I do not know enough about IPSec to understand whether this would
be possible or not, but it seems like it would be similar to ettercap's
ability to view SSL traffic when you have the certificate that is being
used.  If you could provide the IDS with the keys, would this be possible?


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: