[Snort-sigs] multiple ip_proto rule

JC monroe at ...745...
Mon Aug 12 20:40:02 EDT 2002


Hello Everybody,

Snort Version: 1.8.4
Operating Environment: OpenBSD 3.0
Searching the list revealed: Nothing

I thought it might be better to put it into context what I'm trying to
do 
I want to create signature that will basically be the same thing as this
tcpdump filter 

(ip[9:1] !=1)  #icmp
and
(ip[9:1] !=2)  #igmp
and
(ip[9:1] !=6)   #tcp
and
(ip[9:1] !=17)  #udp
and
(ip[9:1] !=89)  #ospf
and
(ip[9:1] !=103)  #pim (protocol independent multicast)

I saw something that Martin wrote a while ago he said that && would be a
future release see:
http://archives.neohapsis.com/archives/snort/2000-06/0056.html  

Any help would be lovely 

Thanks,

JC





More information about the Snort-sigs mailing list