[Snort-sigs] multiple ip_proto rule
monroe at ...745...
Tue Aug 13 12:17:18 EDT 2002
I'm sorry that I didn't put it in complete context lets try again
I am trying to flag all traffic that we might not deem normal in our
network reading the snort users manual there is no indication of any
type of &&, || in fact in the 1.9 version manual there was no multiple
selector anywhere in the documentation. Initially I tried to see if
Alert ![tcp,udp,icmp,igmp,pim] !$HOME_NET any -> $HOME_NET any (msg:
"Interesting traffic";) would work it failed worse than Anna Nichole
Smith in Calculus 5 at MIT. So looking through the manual I found the
ip_proto: directive so I fashioned the second rule of
alert ip !$HOME_NET any -> $HOME_NET any (msg: "Non standard traffic not
TCP,UDP,or ICMP, or PIM, or IGMP"; ip_proto: !1; ip_proto: !2; ip_proto:
!6; ip_proto: !17; ip_proto: !2; ip_proto: !103;)
This rule when using snort with the -T flag to check syntax does work
however it doesn't even come close to accurately logging. I'm wondering
is there something I'm doing wrong. Am I overwriting the protos that I
want to match as I go? Would I need to have a multiple step dynamic
rule? It didn't appear clear to me how I could solve this problem
through the use of tagging.
I just want to catch anything that I've defined as not normal.
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Chris Green
Sent: Tuesday, August 13, 2002 4:41 AM
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] multiple ip_proto rule
"JC" <monroe at ...745...> writes:
> Hello Everybody,
> Snort Version: 1.8.4
> Operating Environment: OpenBSD 3.0
> Searching the list revealed: Nothing
Humor Derived: Chuckle.
> I thought it might be better to put it into context what I'm trying to
> I want to create signature that will basically be the same thing as
> tcpdump filter
> (ip[9:1] !=1) #icmp
> (ip[9:1] !=2) #igmp
> (ip[9:1] !=6) #tcp
> (ip[9:1] !=17) #udp
> (ip[9:1] !=89) #ospf
> (ip[9:1] !=103) #pim (protocol independent multicast)
Are you trying to alert on this traffic or just have additional
checks? Fleshing out the ip_proto check is needed. I should go ahead
and do that.
> I saw something that Martin wrote a while ago he said that && would
> be a future release see:
We got ip lists instead of that.
Chris Green <cmg at ...435...>
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs