[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmp and Snort?



Snort is based on libpcap, and I see object files for ah and esp and isakmp,
so it should be possible.

----- Original Message -----
From: "Gregory Steuck" <greg@nest.cx>
To: "Will Backman" <whb@ceimaine.org>
Cc: "Jack" <jack_xiao99@hotmail.com>; <tech@openbsd.org>
Sent: Thursday, May 24, 2001 2:56 PM
Subject: Re: Isakmp and Snort?


> On Thu, May 24, 2001 at 03:00:18PM -0400, Will Backman wrote:
>
> ESP and AH are different kinds of IP just like TCP, UDP and ICMP. Which
> pretty much rules out possibility for them to be TCP packets.
>
> As for the snort, I don't know.
>
>  > As far as I know, ESP and AH are just TCP with some extra headers and a
>  > different protocol version number in one of the fields, so SNORT should
pick
>  > it up.
>  > How are you starting up snort?
>  >
>  > > Hi All,
>  > >
>  > > Now I want to detect the packets information between two VPN gateways
with
>  > > Snort. After I setting up isakmpd, the Snort only can catch UDP
packets
>  > during
>  > > phase 1 and have got nothing of ESP or AH packects. As far as I know,
>  > Snort
>  > > can detect TCP/UDP/ICMP. How about ESP and AH? If it can, how to
write the
>  > > rules of Snort? I will appreciate your help or hints.
>  > >
>  > > Thanks!
>  > >
>  > > Jack