[Snort-sigs] GRE Rule

Joel Esler jesler at ...435...
Mon Dec 5 09:01:46 EST 2011


You need to compiled with --enable-gre into Snort, which, depending on Snort version, may be on by default (>=2.9.1).

However, you write your rule how you normally would "alert tcp...."  and the Snort decoder takes care of decoding GRE for you.

Looks like we need to update the Snort Manual.

J


On Dec 4, 2011, at 5:31 PM, PS wrote:

> This was taken from the 2.9 manual
> 
> "3.2.2 Protocols
> 
> The next field in a rule is the protocol. There are four protocols that Snort currently analyzes for suspicious behavior – TCP, UDP, ICMP, and IP. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. "
> 
> But I do see online where it says that snort does have a GRE decoder and that it has to be enabled when compiling.
> 
> I'm not sure what the difference is.
> 
> 
> On Dec 4, 2011, at 5:09 PM, Dina Bruzek <dbruzek at ...435...> wrote:
> 
>> I believe GRE is supported.
>> 
>> Dina
>> 
>> Sent from my iPhone
>> 
>> On Dec 4, 2011, at 4:56 PM, vmpc vmpc <packetstack at ...2420...> wrote:
>> 
>>> I want to create a rule that would block anyone trying to connect to my PPTP server after being denied access once. I will be doing this using snortsam. Since the packet that contains the  "Access denied" message is sent back to the PPTP client using the GRE protocol, does that mean that I can't create a rule that will alert on that packet? My understanding is that GRE is not supported at this time. Would it be possible for me to create a general rule that would look at the entire packet and just try to be very specific when it comes to content matching in order to get a match?
>>> 
>>> Thanks!
>>> 
>>> ------------------------------------------------------------------------------
>>> All the data continuously generated in your IT infrastructure 
>>> contains a definitive record of customers, application performance, 
>>> security threats, fraudulent activity, and more. Splunk takes this 
>>> data and makes sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-novd2d
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>> 
>>> 
>>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111205/4f0112de/attachment.html>


More information about the Snort-sigs mailing list