[Snort-sigs] BAD TRAFFIC Non-Standard IP protocol

Daniél Haslinger daniel.haslinger at ...1846...
Thu Sep 11 05:48:09 EDT 2003


Rule: alert ip $EXTERNAL_NET any -> $HOME_NET any 
(msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; 
ip_proto:!6; ip_proto:!17 ip_proto:!47; ip_proto:!50; ip_proto:!51; 
ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:3;) 
-- 
Sid: 1620 
-- 
Comment: The Author if the original rule forgot to include IP_PROTO:!17 
(UDP), without this Snort will trigger every UDP Packet as BAD TRAFFIC Non-
Standard IP protocol, but UDP in my opinion IS!
--

hope that helps,
Daniél

-- 
:: Daniél Haslinger
:: Security and Development

-- Rotheneder GmbH
-- Schillerplatz 1/1/1
-- 3100 St.Pölten

... www.rotheneder.com
... daniel.haslinger at ...1846...




More information about the Snort-sigs mailing list