Snort mailing list archives

Increase performance with filter or pass-rules

From: Martin Olsson <elof () sentor se>
Date: Fri, 21 Nov 2003 15:49:24 +0100 (CET)


I have a sensor that monitors a network where there's lots of VPN-traffic (esp).

Esp is an encrypted protocol, so there's no point that snort looks for
plaintext data within these packets.

Can snort make a pass-rule for the esp protocol, or does it only support
ip, udp, tcp and icmp?


Related question:
Is it a bad thing to use a bpf filter to exclude esp?
Is it bad to filter out all tcp/22 and tcp/443 and other encrypted
protocols?

/Martin



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Increase performance with filter or pass-rules Martin Olsson (Nov 21)
- Re: Increase performance with filter or pass-rules Edin Dizdarevic (Nov 21)
- <Possible follow-ups>
- RE: Increase performance with filter or pass-rules SRH-Lists (Nov 21)