[Snort-users] VPN traffic
dr at ...50...
Wed Aug 2 19:38:39 EDT 2000
On Wed, 02 Aug 2000, Bill Pennington wrote:
> I would vote for an any option. There are times when I want to watch
> everything from or to a certain place.
> > ~ : - Is there a way to say "any" for the protocol?
It's not so hard to implement because I've looked at it before.... But I
reiterate, it would also require some more ruleset functionality because
you have to have some way to specify something about the packet
to make an "any" protocol packet cause it to generate an alert... and
since an any packet doesn't necessarily have addresses, flags and
such as we understand in the IP case.... how do you wan't to specify
which "any" packets cause alarms...
-match ip stuff in "any" packets anyway.and use the current rule syntax (easy to
develop, but of questionable utility)
-develop some kind of string match function that is anchored to a particular
arbitrarily user specified position in the packet (with extra bonus points
for a wildcard mask)
-develop some kind of string match function that is free floating and
searched for anywhere in any position in the packet (with extra bonus
points for a wildcard mask). This option could be a bigger CPU use hit.
-develop rulesets for specific protocols such as IGMP(easy), IPX(not)
etc... (uhm.... have you looked at ethereal? this is a lot of work!)
I agree that an "any" protocol specifier is a good idea... but there is
more to developing it than is immediately evident.
dursec.com ltd. / kyx.net - we're from the future http://www.dursec.com
More information about the Snort-users