[Snort-sigs] multiple ip_proto rule

Chris Green cmg at ...435...
Tue Aug 13 20:22:02 EDT 2002


Andreas Östling <andreaso at ...58...> writes:

> On Tue, 13 Aug 2002, Brian wrote:
>
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC        \
>>   Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; \
>>   ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89;           \
>>   classtype:non-standard-protocol; sid:1620; rev:2;)
>
> Isn't this what "allowed_ip_protocols" in spp_conversion is supposed to
> do (when finished)?
>

Ok fixed this one.

preprocessor conversation: allowed_ip_protocols 1 2 6 47 50 51 90, alert_odd_protocols


ip_proto: !1,2,3,4,5

doesn't look right but its easier to implement. I'll think about that
one over night.
-- 
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-sigs mailing list