[Snort-users] Logging non tcp/udp/icmp packets

Sonika Malhotra sonikam at ...4044...
Mon Mar 4 01:56:14 EST 2002


I would also like to know if this "[!tcp || !udp || !icmp] " works for port
numbers also.
ie
log any any -> $HOME_NET [!25 && !53] (msg:"unknown traffic";)

thanx
sm

"Thomas Porter, Ph.D." wrote:

> I'd like to log all non tcp/udp/icmp packets inbound or outbound. What's
> the right syntax for the rule below? Thanks
>
> # Logging uncommon protocols
> log [!tcp || !udp || !icmp] $EXTERNAL_NET any <> $HOME_NET any (msg:
> "Unknown Protocol";session: printable;)
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list