[Snort-users] VPN traffic

Dragos Ruiu dr at ...50...
Wed Aug 2 19:38:39 EDT 2000


On Wed, 02 Aug 2000, Bill Pennington wrote:
> I would vote for an any option. There are times when I want to watch
> everything from or to a certain place.
> 
> > ~ : - Is there a way to say "any" for the protocol?


It's not so hard to implement because I've looked at it before.... But I
reiterate, it would also require some more ruleset functionality because
you have to have some way to specify something about the packet
to make an "any" protocol packet cause it to generate an alert... and
since an any packet doesn't necessarily have addresses, flags and 
such as we understand in the IP case.... how do you wan't to specify 
which "any" packets cause alarms...

Options include.... 
-match ip stuff in "any" packets anyway.and use the current rule syntax (easy to
 develop, but of questionable utility)
-develop some kind of string match function that is anchored to a particular
 arbitrarily user specified position in the packet (with extra bonus points
 for a wildcard mask) 
-develop some kind of string match function that is free floating and   
 searched for anywhere in any position in the packet (with extra bonus    
 points for a wildcard mask). This option could be a bigger CPU use hit.
-develop rulesets for specific protocols such as IGMP(easy), IPX(not) 
 etc...  (uhm.... have you looked at ethereal? this is a lot of work!)

I agree that an "any" protocol specifier is a good idea... but there is 
more to developing it than is immediately evident.

cheers,
--dr

 -- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com




More information about the Snort-users mailing list