Snort mailing list archives
Questions: Filtering ESP & Duplicate traffic
From: Seth Art <sethsec () gmail com>
Date: Tue, 24 Mar 2009 14:58:54 -0400
1) Can anyone think of an argument against filtering out ESP and AH (IPSEC VPN) traffic entirely by using BPF filters? It does not look like any current signatures detect attacks on either protocol (I could be wrong here), and as most of you know, this traffic is encrypted. 2) Often I come across sensors that are receiving traffic (usually via SPAN) from BOTH the inside (LAN) and outside (WAN). In this case snort sees *most* packets twice: Once from the outside feed with your WAN IP (most likely a HIDE NAT, PAT, etc), and then again from the inside feed with an internal address (usually RFC 1918). My question -- Aside from the additional throughput, is this actually bad? It seems that the best solution would require two separate sensors, or at a minimum two instances of snort running on the same hardware (one configured for the inside and one for the outside). But is this required? If you configure your home net to include both your public IP range AND your RFC 1918 range, will one instance of snort be able to tell handle both feeds without an issue? Thanks, Seth ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jack Pepper (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)