Brian bmc at ...95...
Tue Aug 13 12:45:05 EDT 2002

According to JC:
> alert ip !$HOME_NET any -> $HOME_NET any (msg: "Non standard traffic not
> TCP,UDP,or ICMP, or PIM, or IGMP"; ip_proto: !1; ip_proto: !2; ip_proto:
> !6; ip_proto: !17; ip_proto: !2; ip_proto: !103;)

Actually, this already exists, but is disabled because snort does not
support multiple ip_proto options.

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC        \ 
   Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
   ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89;           \
   classtype:non-standard-protocol; sid:1620; rev:2;)

The ds_list for ip_proto is not a linked list, so you only get one
ip_proto per signature.  This issue is currently on the TODO list.

