[Snort-sigs] SID 1620, Non-Standard IP Protocol question

Daniel Reich me at ...1518...
Thu May 15 08:40:03 EDT 2003


alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP
protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50;
ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:3;)

Shouldn't this rule also exclude proto 17 (udp)?

Cheers

-dr




More information about the Snort-sigs mailing list