[Snort-users] Rule to detect "well-behaved" multicast packets

Jonathan G. Lampe jonathan at ...2170...
Tue Jun 5 17:08:30 EDT 2001


I want to write a pass rule which will ignore certain "well-behaved" UDP
multicast packets on my local network.  (The external router won't let them
out with TTL<32.)  I've gotten this far (I know <32 is illegal!):

pass udp any 192.168.3.0/24 -> 224.0.0.0/8 (ttl: <32);

I do not want the full multicast range (224.0.0.0-239.255.255.255) in my
example , but I think the only way to do get the full range is to do the
following.  (Someone correct me if I'm wrong...)

Complete SNORT Multicast Range (?)
224.0.0.0/6, 228.0.0.0/5, 236.0.0.0/6





More information about the Snort-users mailing list