[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmp and Snort?



>From http://archives.neohapsis.com/archives/snort/2000-10/0159.html
/*
Oct 6, 2000
If Snort took numeric arguments as alternates to the "TCP/UDP/ICMP" field,
we could have something like:
alert 50 $EXTERNAL any -> $INTERNAL any (msg:
"protocol-50_ESP_empty_payload"; dsize: 0;)
alert 51 $EXTERNAL any -> $INTERNAL any (msg:
"protocol-51_AH_empty_payload"; dsize: 0;)
*/
Notice the IF at the beginning...
I don't know if this has changed.

----- Original Message -----
From: <dreamwvr@dreamwvr.com>
To: "Will Backman" <whb@ceimaine.org>; <tech@openbsd.org>
Sent: Thursday, May 24, 2001 3:24 PM
Subject: Re: Isakmp and Snort?


> hi,
>    As Bob sed you need unencypted traffic for a proper analysis of the
> streams. Since esp encapsulates in encryption the data stream well
> you really won't know it is good or bad until snort can read the data
> revealed. Sort of speak anyways..
> dreamwvr@dreamwvr.com wrote:
>
> > > hi,
> >
> >       Well i always thought that as well till i read the netbsd ipsec
page and
> > how esp is not what some percieve it to be per se.. My plan was to set
in my
> > lab a netbsd client to a openbsd server host to host.. noticing that
syntax was
> > a bit diff i thought there might be a few gotchas.