[Snort-sigs] multiple ip_proto rule

Brian bmc at ...95...
Tue Aug 13 12:45:05 EDT 2002


According to JC:
> alert ip !$HOME_NET any -> $HOME_NET any (msg: "Non standard traffic not
> TCP,UDP,or ICMP, or PIM, or IGMP"; ip_proto: !1; ip_proto: !2; ip_proto:
> !6; ip_proto: !17; ip_proto: !2; ip_proto: !103;)


Actually, this already exists, but is disabled because snort does not
support multiple ip_proto options.

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC        \ 
   Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
   ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89;           \
   classtype:non-standard-protocol; sid:1620; rev:2;)

The ds_list for ip_proto is not a linked list, so you only get one
ip_proto per signature.  This issue is currently on the TODO list.

-- 
So, according to this, we're in Goblin Valley. Great. I mean, I mean, I 
mean... it couldn't be Happy Valley or Wonderful Valley. Goblin Valley. 
Why not, Axe Murderer's Valley?




More information about the Snort-sigs mailing list