[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Isakmp and Snort?
Snort is based on libpcap, and I see object files for ah and esp and isakmp,
so it should be possible.
----- Original Message -----
From: "Gregory Steuck" <greg@nest.cx>
To: "Will Backman" <whb@ceimaine.org>
Cc: "Jack" <jack_xiao99@hotmail.com>; <tech@openbsd.org>
Sent: Thursday, May 24, 2001 2:56 PM
Subject: Re: Isakmp and Snort?
> On Thu, May 24, 2001 at 03:00:18PM -0400, Will Backman wrote:
>
> ESP and AH are different kinds of IP just like TCP, UDP and ICMP. Which
> pretty much rules out possibility for them to be TCP packets.
>
> As for the snort, I don't know.
>
> > As far as I know, ESP and AH are just TCP with some extra headers and a
> > different protocol version number in one of the fields, so SNORT should
pick
> > it up.
> > How are you starting up snort?
> >
> > > Hi All,
> > >
> > > Now I want to detect the packets information between two VPN gateways
with
> > > Snort. After I setting up isakmpd, the Snort only can catch UDP
packets
> > during
> > > phase 1 and have got nothing of ESP or AH packects. As far as I know,
> > Snort
> > > can detect TCP/UDP/ICMP. How about ESP and AH? If it can, how to
write the
> > > rules of Snort? I will appreciate your help or hints.
> > >
> > > Thanks!
> > >
> > > Jack