[Snort-sigs] GRE Rule

PS packetstack at ...2420...
Sun Dec 4 17:31:51 EST 2011


This was taken from the 2.9 manual

"3.2.2 Protocols

The next field in a rule is the protocol. There are four protocols that Snort currently analyzes for suspicious behavior – TCP, UDP, ICMP, and IP. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. "

But I do see online where it says that snort does have a GRE decoder and that it has to be enabled when compiling.

I'm not sure what the difference is.


On Dec 4, 2011, at 5:09 PM, Dina Bruzek <dbruzek at ...435...> wrote:

> I believe GRE is supported.
> 
> Dina
> 
> Sent from my iPhone
> 
> On Dec 4, 2011, at 4:56 PM, vmpc vmpc <packetstack at ...2420...> wrote:
> 
>> I want to create a rule that would block anyone trying to connect to my PPTP server after being denied access once. I will be doing this using snortsam. Since the packet that contains the  "Access denied" message is sent back to the PPTP client using the GRE protocol, does that mean that I can't create a rule that will alert on that packet? My understanding is that GRE is not supported at this time. Would it be possible for me to create a general rule that would look at the entire packet and just try to be very specific when it comes to content matching in order to get a match?
>> 
>> Thanks!
>> 
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure 
>> contains a definitive record of customers, application performance, 
>> security threats, fraudulent activity, and more. Splunk takes this 
>> data and makes sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111204/ae513f14/attachment.html>


More information about the Snort-sigs mailing list