[Snort-sigs] multiple ip_proto rule

JC monroe at ...745...
Tue Aug 13 12:17:18 EDT 2002

Hello Again,

I'm sorry that I didn't put it in complete context lets try again

I am trying to flag all traffic that we might not deem normal in our
network reading the snort users manual there is no indication of any
type of &&, || in fact in the 1.9 version manual there was no multiple
selector anywhere in the documentation. Initially I tried to see if 
Alert ![tcp,udp,icmp,igmp,pim] !$HOME_NET any -> $HOME_NET any (msg:
"Interesting traffic";) would work   it failed worse than Anna Nichole
Smith in Calculus 5 at MIT.   So looking through the manual I found the
ip_proto: directive so I fashioned the second rule of

alert ip !$HOME_NET any -> $HOME_NET any (msg: "Non standard traffic not
TCP,UDP,or ICMP, or PIM, or IGMP"; ip_proto: !1; ip_proto: !2; ip_proto:
!6; ip_proto: !17; ip_proto: !2; ip_proto: !103;)

This rule when using snort with the -T flag to  check syntax does work
however it doesn't even come close to accurately logging. I'm wondering
is there something I'm doing wrong. Am I overwriting the protos that I
want to match as I go? Would I need to have a multiple step dynamic
rule? It didn't appear clear to me how I could solve this problem
through the use of tagging.   

I just want to catch anything that I've defined as not normal.

Thanks again,


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Chris Green
Sent: Tuesday, August 13, 2002 4:41 AM
To: JC
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] multiple ip_proto rule

"JC" <monroe at ...745...> writes:

> Hello Everybody,
> Snort Version: 1.8.4
> Operating Environment: OpenBSD 3.0
> Searching the list revealed: Nothing

Humor Derived: Chuckle.

> I thought it might be better to put it into context what I'm trying to
> do 
> I want to create signature that will basically be the same thing as
> tcpdump filter 
> (ip[9:1] !=1)  #icmp
> and
> (ip[9:1] !=2)  #igmp
> and
> (ip[9:1] !=6)   #tcp
> and
> (ip[9:1] !=17)  #udp
> and
> (ip[9:1] !=89)  #ospf
> and
> (ip[9:1] !=103)  #pim (protocol independent multicast)

Are you trying to alert on this traffic or just have additional
checks? Fleshing out the ip_proto check is needed.  I should go ahead
and do that.

> I saw something that Martin wrote a while ago he said that && would
>  be a future release see:
> http://archives.neohapsis.com/archives/snort/2000-06/0056.html
We got ip lists instead of that.  

Chris Green <cmg at ...435...>
Eschew obfuscation.

This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list