[Snort-devel] IP Protocol Rules?
jesler at ...402...
Sun Jul 1 18:30:13 EDT 2012
IP rules are evaluated against all protocols. If you can specify tcp or udp, that's obviously the better idea. People insist on writing IP rules, but as someone else in this thread already pointed out, these rules are bad performers.
What are you trying to accomplish?
On Sunday, July 1, 2012 at 6:01 PM, Livio at ...3255... wrote:
> I woul talk to silicom. They are cheaper 82599s and come with a prepaid dna license. You can't go wrong..
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> Joshua Kinard <kumba at ...2185... (mailto:kumba at ...2185...)> wrote:
> > On 07/01/2012 4:04 PM, Tony Robinson wrote:
> > > IP protocol rules are rules that trigger against IP traffic. In the
> > > standard snort rule header, you can specify a rule function
> > > [Alert/Pass/Drop], a protocol, [TCP/UDP/ICMP/IP], network or address 1
> > > [address/IPvar], source port [port/icmp code], where the traffic flows
> > > [direction], network or address 2 [address/IPvar], destination port
> > > [port/icmp code].
> > >
> > > IP Protocol rules are simply rules that trigger against rule content with
> > > IP chosen as the protocol. If IP is chosen as the protocol you cannot
> > > specify a port or an ICMP code. Snort will do content matching against ALL
> > > IP packets. The rule header for an IP rule will usually look something like
> > > this:
> > >
> > >
> > > alert ip [address 1] any -> [address 2] any [rule content goes here]
> > >
> > > If you want to see an example of an IP protocol rule, take a look at rule
> > > 18997
> > >
> > > http://www.snort.org/search/sid/18997?r=1
> > >
> > > it's a rule that alerts against IP protocol traffic and has a specific
> > > content match. The other use case for IP rules is to block traffic from
> > > certain IP addresses when we don't know the content, or more than one type
> > > of protocol may be used to communicate. This rules aren't very good
> > > performers, but will do in a pinch if you know, say, the ip address of a
> > > known CNC server and just want to alert against any traffic going to/from
> > > that ip address.
> > >
> > > sids 20523 and 20524 are examples of this -- blocking known ip addresses
> > > for Duqu CNC hosts.
> > >
> > > Hope this answers the question.
> > >
> > > -Tony
> > I'll add that IP protocol rules also make use of the "ip_proto" keyword.
> > You usually want to put this keyword into any "alert ip" rule, as Snort's
> > fast-pattern matcher will use the protocol number as the "destination port"
> > to prime the fp algorithm to quickly judge which packets to keep for further
> > inspection.
> > I.e., if you wanted to alert on SCTP traffic containing the string "foobar":
> > alert ip any any -> any any (msg:"SCTP Traffic"; ip_proto:132;
> > content:"foobar"; nocase; sid:123456789; rev:1; classtype:misc-activity;)
> > You have to be VERY careful with IP proto rules. They can quickly bring
> > Snort to its knees if used incorrectly.
> > --
> > Joshua Kinard
> > Gentoo/MIPS
> > kumba at ...2185... (mailto:kumba at ...2185...)
> > 4096R/D25D95E3 2011-03-28
> > "The past tempts us, the present confuses us, the future frightens us. And
> > our lives slip away, moment by moment, lost in that vast, terrible in-between."
> > --Emperor Turhan, Centauri Republic
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net (mailto:Snort-devel at lists.sourceforge.net)
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Please visit http://blog.snort.org for the latest news about Snort!
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net (mailto:Snort-devel at lists.sourceforge.net)
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel