[Snort-sigs] SID 4638

Jamie Riden jamie.riden at ...2420...
Fri Jun 1 17:06:28 EDT 2007


On 01/06/07, Paul Schmehl <pauls at ...1311...> wrote:
> --On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:
>
> > and do you have false alert if you add ip_proto:46; on this rules ?
>
> I don't think that's possible, is it?  This rule is looking at the data in
> a packet *not* at the IP header.  You would need to sort that out first,
> and I don't think snort has that ability.  Or is the data going to include
> the protocol somehow?  The tenth byte of the IP header would tell you what
> the protocol is, but I don't think snort has rule syntax that looks at
> that.  (I could definitely be wrong.)

'Fraid so :)   eg.:

/etc/snort/rules/bad-traffic.rules:alert ip any any -> any any
(msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103;
reference:bugtraq,8211; reference:cve,2003-0567;
classtype:non-standard-protocol; sid:2189; rev:3;)

"2.3.32  IP proto

The ip_proto keyword allows checks against the IP protocol header. For
a list of protocols that may be specified by name, see /etc/protocols.
Note the use of the ip protocol specification in the rule.

Format
ip_proto:[!] <name or number>;

alert ip !$HOME_NET any -> $HOME_NET any \
         (msg: "IGMP traffic detected";  ip_proto: igmp;)"

so ip_proto:46; or ip_proto:rsvp; should do.

cheers,
 Jamie
-- 
Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/




More information about the Snort-sigs mailing list