[Snort-devel] IP Protocol Rules?

Joshua Kinard kumba at ...2185...
Sun Jul 1 16:55:24 EDT 2012

On 07/01/2012 4:04 PM, Tony Robinson wrote:
> IP protocol rules are rules that trigger against IP traffic. In the
> standard snort rule header, you can specify a rule function
> [Alert/Pass/Drop], a protocol, [TCP/UDP/ICMP/IP], network or address 1
> [address/IPvar], source port [port/icmp code], where the traffic flows
> [direction], network or address 2 [address/IPvar], destination port
> [port/icmp code].
> IP Protocol rules are simply rules that trigger against rule content with
> IP chosen as the protocol. If IP is chosen as the protocol you cannot
> specify a port or an ICMP code. Snort will do content matching against ALL
> IP packets. The rule header for an IP rule will usually look something like
> this:
> alert ip [address 1] any -> [address 2] any [rule content goes here]
> If you want to see an example of an IP protocol rule, take a look at rule
> 18997
> http://www.snort.org/search/sid/18997?r=1
> it's a rule that alerts against IP protocol traffic and has a specific
> content match. The other use case for IP rules is to block traffic from
> certain IP addresses when we don't know the content, or more than one type
> of protocol may be used to communicate. This rules aren't very good
> performers, but will do in a pinch if you know, say, the ip address of a
> known CNC server and just want to alert against any traffic going to/from
> that ip address.
> sids 20523 and 20524 are examples of this -- blocking known ip addresses
> for Duqu CNC hosts.
> Hope this answers the question.
> -Tony

I'll add that IP protocol rules also make use of the "ip_proto" keyword.
You usually want to put this keyword into any "alert ip" rule, as Snort's
fast-pattern matcher will use the protocol number as the "destination port"
to prime the fp algorithm to quickly judge which packets to keep for further

I.e., if you wanted to alert on SCTP traffic containing the string "foobar":
alert ip any any -> any any (msg:"SCTP Traffic"; ip_proto:132;
content:"foobar"; nocase; sid:123456789; rev:1; classtype:misc-activity;)

You have to be VERY careful with IP proto rules.  They can quickly bring
Snort to its knees if used incorrectly.

Joshua Kinard
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120701/c3be0c49/attachment.sig>

More information about the Snort-devel mailing list