Re: Questions: Filtering ESP & Duplicate traffic

[Seth Art <sethsec () gmail com>]

Thanks guys.

> Only if your EXTERNAL_NET is set to any or you do not care about
> attacks from HOME_NET to HOME_NET. Best solution is separately
> configured detection.

I definitely agree that separately configured detection is best, but
am glad to have confirmation that this is not an egregious
misconfiguration that would somehow hamper detection capabilities.
Thanks!

> As far as filtering out things like ESP and VPN traffic, I see no reason to inspect it
>  if it's encrypted.  (That's what encryption is for right? To make stuff unreadable?)

> I welcome a discussion on that issue.

This is what I was thinking, although the pitfall that Jason Haar
mentions is exactly the one i was thinking of...  The "what if" at
some point in the future an ESP based vulnerability is identified.  I
worry that even though the VRT team releases sigs, I am blind to the
attack until I yank those bpf filters out.

Again, like Jason, I think the benefits of filtering out ESP traffic
outweigh the risk, but it always helps to get community
confirmation/discussion on such things.

-Seth

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users