Snort mailing list archives

Re: Detecting IPSEC traffic?

From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de>
Date: Tue, 20 Nov 2001 13:50:08 +0100

On Tue, Nov 20, 2001 at 07:05:35AM -0500, Zarathustra Ubermensch wrote:

Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I 
know I can pick up some of this communication by looking for IKE traffic on 
udp/500, but not all IPSEC traffic uses IKE.


Yup.
According to the docs:

2.2.2  Protocols
 
The next field in a rule is the protocol. There are four Protocols that
Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip.
In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. 

-- 
Ralf Hildebrandt                            Tel.  +49 (0)30-450 570-155
                                            Fax.  +49 (0)30-450 570-916
If Bill Gates had a dime for every time a Windows box crashed...
                ...Oh, wait a minute, he already does.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Detecting IPSEC traffic? Zarathustra Ubermensch (Nov 20)
- Re: Detecting IPSEC traffic? Ralf Hildebrandt (Nov 20)
- Re: Detecting IPSEC traffic? Brian (Nov 20)