[Snort-sigs] SID 4638
pauls at ...1311...
Fri Jun 1 17:00:49 EDT 2007
--On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:
> and do you have false alert if you add ip_proto:46; on this rules ?
I don't think that's possible, is it? This rule is looking at the data in
a packet *not* at the IP header. You would need to sort that out first,
and I don't think snort has that ability. Or is the data going to include
the protocol somehow? The tenth byte of the IP header would tell you what
the protocol is, but I don't think snort has rule syntax that looks at
that. (I could definitely be wrong.)
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 3701 bytes
Desc: not available
More information about the Snort-sigs