Questions: Filtering ESP & Duplicate traffic

[Seth Art <sethsec () gmail com>]

1) Can anyone think of an argument against filtering out ESP and AH
(IPSEC VPN) traffic entirely by using BPF filters?  It does not look
like any current signatures detect attacks on either protocol (I could
be wrong here), and as most of you know, this traffic is encrypted.


2) Often I come across sensors that are receiving traffic (usually via
SPAN) from BOTH the inside (LAN) and outside (WAN).  In this case
snort sees *most* packets twice:  Once from the outside feed with your
WAN IP (most likely a HIDE NAT, PAT, etc), and then again from the
inside feed with an internal address (usually RFC 1918).

My question -- Aside from the additional throughput, is this actually bad?

It seems that the best solution would require two separate sensors, or
at a minimum two instances of snort running on the same hardware (one
configured for the inside and one for the outside).

But is this required?

If you configure your home net to include both your public IP range
AND your RFC 1918 range, will one instance of snort be able to tell
handle both feeds without an issue?


Thanks,

Seth

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users