[Snort-sigs] SID 4638

Paul Schmehl pauls at ...1311...
Fri Jun 1 17:00:49 EDT 2007


--On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:

> and do you have false alert if you add ip_proto:46; on this rules ?

I don't think that's possible, is it?  This rule is looking at the data in 
a packet *not* at the IP header.  You would need to sort that out first, 
and I don't think snort has that ability.  Or is the data going to include 
the protocol somehow?  The tenth byte of the IP header would tell you what 
the protocol is, but I don't think snort has rule syntax that looks at 
that.  (I could definitely be wrong.)

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070601/f6ea97df/attachment.bin>


More information about the Snort-sigs mailing list