[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmp and Snort?

To: Will Backman <whb@ceimaine.org>
Subject: Re: Isakmp and Snort?
From: Gregory Steuck <greg@nest.cx>
Date: Thu, 24 May 2001 11:56:32 -0700
Cc: Jack <jack_xiao99@hotmail.com>, tech@openbsd.org
Content-Disposition: inline
References: <OE71wfWpg1TzlKgBNjd00006c26@hotmail.com> <009101c0e483$c696e380$6b02a8c0@cei3466>
User-Agent: Mutt/1.2.5i

On Thu, May 24, 2001 at 03:00:18PM -0400, Will Backman wrote:

ESP and AH are different kinds of IP just like TCP, UDP and ICMP. Which
pretty much rules out possibility for them to be TCP packets.

As for the snort, I don't know.

 > As far as I know, ESP and AH are just TCP with some extra headers and a
 > different protocol version number in one of the fields, so SNORT should pick
 > it up.
 > How are you starting up snort?
 > 
 > > Hi All,
 > >
 > > Now I want to detect the packets information between two VPN gateways with
 > > Snort. After I setting up isakmpd, the Snort only can catch UDP packets
 > during
 > > phase 1 and have got nothing of ESP or AH packects. As far as I know,
 > Snort
 > > can detect TCP/UDP/ICMP. How about ESP and AH? If it can, how to write the
 > > rules of Snort? I will appreciate your help or hints.
 > >
 > > Thanks!
 > >
 > > Jack

Follow-Ups:
- Re: Isakmp and Snort?
  - From: "Will Backman" <whb@ceimaine.org>

References:
- Isakmp and Snort?
  - From: "Jack" <jack_xiao99@hotmail.com>
- Re: Isakmp and Snort?
  - From: "Will Backman" <whb@ceimaine.org>

Prev by Date: Re: Isakmp and Snort?
Next by Date: Re: Isakmp and Snort?
Prev by thread: Re: Isakmp and Snort?
Next by thread: Re: Isakmp and Snort?
Index(es):
- Date
- Thread