[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Isakmp and Snort?
Oct 6, 2000
If Snort took numeric arguments as alternates to the "TCP/UDP/ICMP" field,
we could have something like:
alert 50 $EXTERNAL any -> $INTERNAL any (msg:
"protocol-50_ESP_empty_payload"; dsize: 0;)
alert 51 $EXTERNAL any -> $INTERNAL any (msg:
"protocol-51_AH_empty_payload"; dsize: 0;)
Notice the IF at the beginning...
I don't know if this has changed.
----- Original Message -----
To: "Will Backman" <email@example.com>; <firstname.lastname@example.org>
Sent: Thursday, May 24, 2001 3:24 PM
Subject: Re: Isakmp and Snort?
> As Bob sed you need unencypted traffic for a proper analysis of the
> streams. Since esp encapsulates in encryption the data stream well
> you really won't know it is good or bad until snort can read the data
> revealed. Sort of speak anyways..
> email@example.com wrote:
> > > hi,
> > Well i always thought that as well till i read the netbsd ipsec
> > how esp is not what some percieve it to be per se.. My plan was to set
> > lab a netbsd client to a openbsd server host to host.. noticing that
> > a bit diff i thought there might be a few gotchas.