[Snort-users] IRC BOT and IP protocol 255
bmc at ...950...
Mon Aug 12 07:03:04 EDT 2002
According to Brian Ertel:
> Can Snort log the IP protocol 255? Has anyone
> had any success with logging IRC Network BOT
Yes. If you are using a recent 1.9 snapshot, sid:1627 should look
this. All IP protocols above 134 are either reserved or unassigned,
so you should never see these being used.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; classtype:non-standard-protocol; sid:1627; rev:1;
More information about the Snort-users