Snort mailing list archives
Re: Detecting IPSEC traffic?
From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de>
Date: Tue, 20 Nov 2001 13:50:08 +0100
On Tue, Nov 20, 2001 at 07:05:35AM -0500, Zarathustra Ubermensch wrote:
Is there any way to detect IPSEC ESP traffic (protocol 50) with snort? I know I can pick up some of this communication by looking for IKE traffic on udp/500, but not all IPSEC traffic uses IKE.
Yup. According to the docs: 2.2.2 Protocols The next field in a rule is the protocol. There are four Protocols that Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. -- Ralf Hildebrandt Tel. +49 (0)30-450 570-155 Fax. +49 (0)30-450 570-916 If Bill Gates had a dime for every time a Windows box crashed... ...Oh, wait a minute, he already does. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting IPSEC traffic? Zarathustra Ubermensch (Nov 20)
- Re: Detecting IPSEC traffic? Ralf Hildebrandt (Nov 20)
- Re: Detecting IPSEC traffic? Brian (Nov 20)