[Snort-sigs] SID 4638
jamie.riden at ...2420...
Fri Jun 1 17:06:28 EDT 2007
On 01/06/07, Paul Schmehl <pauls at ...1311...> wrote:
> --On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:
> > and do you have false alert if you add ip_proto:46; on this rules ?
> I don't think that's possible, is it? This rule is looking at the data in
> a packet *not* at the IP header. You would need to sort that out first,
> and I don't think snort has that ability. Or is the data going to include
> the protocol somehow? The tenth byte of the IP header would tell you what
> the protocol is, but I don't think snort has rule syntax that looks at
> that. (I could definitely be wrong.)
'Fraid so :) eg.:
/etc/snort/rules/bad-traffic.rules:alert ip any any -> any any
(msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103;
classtype:non-standard-protocol; sid:2189; rev:3;)
"2.3.32 IP proto
The ip_proto keyword allows checks against the IP protocol header. For
a list of protocols that may be specified by name, see /etc/protocols.
Note the use of the ip protocol specification in the rule.
ip_proto:[!] <name or number>;
alert ip !$HOME_NET any -> $HOME_NET any \
(msg: "IGMP traffic detected"; ip_proto: igmp;)"
so ip_proto:46; or ip_proto:rsvp; should do.
Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/
More information about the Snort-sigs