[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmp and Snort?

On Thu, May 24, 2001 at 03:00:18PM -0400, Will Backman wrote:

ESP and AH are different kinds of IP just like TCP, UDP and ICMP. Which
pretty much rules out possibility for them to be TCP packets.

As for the snort, I don't know.

 > As far as I know, ESP and AH are just TCP with some extra headers and a
 > different protocol version number in one of the fields, so SNORT should pick
 > it up.
 > How are you starting up snort?
 > > Hi All,
 > >
 > > Now I want to detect the packets information between two VPN gateways with
 > > Snort. After I setting up isakmpd, the Snort only can catch UDP packets
 > during
 > > phase 1 and have got nothing of ESP or AH packects. As far as I know,
 > Snort
 > > can detect TCP/UDP/ICMP. How about ESP and AH? If it can, how to write the
 > > rules of Snort? I will appreciate your help or hints.
 > >
 > > Thanks!
 > >
 > > Jack