[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Isakmp and Snort?

To: jack_xiao99@hotmail.com (Jack)
Subject: Re: Isakmp and Snort?
From: newsham@lava.net (Tim Newsham)
Date: Fri, 1 Jun 2001 14:10:35 -1000 (HST)
Cc: tech@openbsd.org

> Hi All,
> 
> Now I want to detect the packets information between two VPN gateways with
> Snort. After I setting up isakmpd, the Snort only can catch UDP packets during
> phase 1 and have got nothing of ESP or AH packects. As far as I know, Snort
> can detect TCP/UDP/ICMP. How about ESP and AH? If it can, how to write the
> rules of Snort? I will appreciate your help or hints.

If you want to look at the un-encrypted traffic, you can
do so on the gateway itself by sniffing the enc0 interface.
You will have to make sure snort parses through the encapsulated
ip packet though since the packets will have an extra header
on them.

If you are trying to look at the traffic from a different
machine, it will be encrypted and you wont be able to decrypt
it without knowing the algorithm and the key.  You would
have to modify the gateway to leak this information to your
snort machine and modify the snort host to decode the
encrypted traffic.

> Thanks!
> Jack

Tim N.

Prev by Date: Adding route
Next by Date: Re: isakmpd and unknown peers
Prev by thread: Re: Adding route
Next by thread: Re: isakmpd and unknown peers
Index(es):
- Date
- Thread