[Snort-sigs] multiple ip_proto rule

Andreas Östling andreaso at ...58...
Tue Aug 13 13:37:02 EDT 2002


On Tue, 13 Aug 2002, Brian wrote:

> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC        \
>   Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
>   ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89;           \
>   classtype:non-standard-protocol; sid:1620; rev:2;)

Isn't this what "allowed_ip_protocols" in spp_conversion is supposed to
do (when finished)?

/Andreas





More information about the Snort-sigs mailing list