[Snort-sigs] multiple ip_proto rule

Chris Green cmg at ...435...
Tue Aug 13 04:38:02 EDT 2002


"JC" <monroe at ...745...> writes:

> Hello Everybody,
>
> Snort Version: 1.8.4
> Operating Environment: OpenBSD 3.0
> Searching the list revealed: Nothing
>

Humor Derived: Chuckle.

> I thought it might be better to put it into context what I'm trying to
> do 
> I want to create signature that will basically be the same thing as this
> tcpdump filter 
>
> (ip[9:1] !=1)  #icmp
> and
> (ip[9:1] !=2)  #igmp
> and
> (ip[9:1] !=6)   #tcp
> and
> (ip[9:1] !=17)  #udp
> and
> (ip[9:1] !=89)  #ospf
> and
> (ip[9:1] !=103)  #pim (protocol independent multicast)


Are you trying to alert on this traffic or just have additional
checks? Fleshing out the ip_proto check is needed.  I should go ahead
and do that.

>
> I saw something that Martin wrote a while ago he said that && would
>  be a future release see:
> http://archives.neohapsis.com/archives/snort/2000-06/0056.html
>
We got ip lists instead of that.  

-- 
Chris Green <cmg at ...435...>
Eschew obfuscation.




More information about the Snort-sigs mailing list