Snort mailing list archives
Re: Questions: Filtering ESP & Duplicate traffic
From: Joel Esler <eslerj () gmail com>
Date: Tue, 24 Mar 2009 16:05:14 -0400
Snort can handle it (as far as HOME_NET tuning is going), and will handle it just fine. Usually I've seen people put a sensor in the DMZ, and a sensor inside the firewall. The HOME_NET for the DMZ sensor set to the DMZ IP range, and the HOME_NET inside the firewall set to all the 1918 addresses. As far as filtering out things like ESP and VPN traffic, I see no reason to inspect it if it's encrypted. (That's what encryption is for right? To make stuff unreadable?) I welcome a discussion on that issue. J On Tue, Mar 24, 2009 at 2:58 PM, Seth Art <sethsec () gmail com> wrote:
1) Can anyone think of an argument against filtering out ESP and AH (IPSEC VPN) traffic entirely by using BPF filters? It does not look like any current signatures detect attacks on either protocol (I could be wrong here), and as most of you know, this traffic is encrypted. 2) Often I come across sensors that are receiving traffic (usually via SPAN) from BOTH the inside (LAN) and outside (WAN). In this case snort sees *most* packets twice: Once from the outside feed with your WAN IP (most likely a HIDE NAT, PAT, etc), and then again from the inside feed with an internal address (usually RFC 1918). My question -- Aside from the additional throughput, is this actually bad? It seems that the best solution would require two separate sensors, or at a minimum two instances of snort running on the same hardware (one configured for the inside and one for the outside). But is this required? If you configure your home net to include both your public IP range AND your RFC 1918 range, will one instance of snort be able to tell handle both feeds without an issue? Thanks, Seth ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler T: 302-223-5974 (-) Gtalk: jesler () sourcefire com [m]
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Seth Art (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jack Pepper (Mar 25)
- Re: Questions: Filtering ESP & Duplicate traffic Jason Haar (Mar 24)
- Re: Questions: Filtering ESP & Duplicate traffic Joel Esler (Mar 24)