[Snort-devel] IP Protocol Rules?

Tony Robinson trobinson at ...402...
Sun Jul 1 16:04:33 EDT 2012

IP protocol rules are rules that trigger against IP traffic. In the
standard snort rule header, you can specify a rule function
[Alert/Pass/Drop], a protocol, [TCP/UDP/ICMP/IP], network or address 1
[address/IPvar], source port [port/icmp code], where the traffic flows
[direction], network or address 2 [address/IPvar], destination port
[port/icmp code].

IP Protocol rules are simply rules that trigger against rule content with
IP chosen as the protocol. If IP is chosen as the protocol you cannot
specify a port or an ICMP code. Snort will do content matching against ALL
IP packets. The rule header for an IP rule will usually look something like

alert ip [address 1] any -> [address 2] any [rule content goes here]

If you want to see an example of an IP protocol rule, take a look at rule


it's a rule that alerts against IP protocol traffic and has a specific
content match. The other use case for IP rules is to block traffic from
certain IP addresses when we don't know the content, or more than one type
of protocol may be used to communicate. This rules aren't very good
performers, but will do in a pinch if you know, say, the ip address of a
known CNC server and just want to alert against any traffic going to/from
that ip address.

sids 20523 and 20524 are examples of this -- blocking known ip addresses
for Duqu CNC hosts.

Hope this answers the question.


On Fri, Jun 29, 2012 at 6:50 PM, <jorbru30 at ...2251...> wrote:

> Hi,
> I am reviewing snort code to seek best ways to optimize/tune snort, and I
> appreciate any help in understanding "fpEvalIpProtoOnlyRules' function.
> How do I identify IP protocol only rules? Is every IP packet inspected by
> "fpEvalIpProtoOnlyRules" ?
> I appreciate your help.
> Jorda.
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!


 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120701/4eda3f67/attachment.html>

More information about the Snort-devel mailing list