Re: Questions: Filtering ESP & Duplicate traffic

[Jack Pepper <pepperjack () afferentsecurity com>]

Quoting Seth Art <sethsec () gmail com>:

> > As far as filtering out things like ESP and VPN traffic, I see no  
> > reason to inspect it
> >  if it's encrypted.  (That's what encryption is for right? To make  
> > stuff unreadable?)

> This is what I was thinking, although the pitfall that Jason Haar
> mentions is exactly the one i was thinking of...  The "what if" at
> some point in the future an ESP based vulnerability is identified.  I
> worry that even though the VRT team releases sigs, I am blind to the
> attack until I yank those bpf filters out.

I have picked up many HTTPS bofs with this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg: "HTTPS overflow  
incoming"; flow: established; content:"AAAAAAAAAAAAAAAAAAAAAAA";  
nocase; classtype:trojan-activity;  sid: 2992007; rev:1;)

based on the idea that "what is the liklihood of an "A"-sled showing  
up in encrypted traffic".  It gets lots of hits, even now 3 years  
after the original OPENSSL defect was patched.

I would seem economical and reasonable to look for a sled of nops or  
As in ESP traffic, because it just shouldn't ever happen.

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users