[Snort-users] Logging non tcp/udp/icmp packets

Martin Roesch roesch at ...1935...
Mon Mar 4 08:43:15 EST 2002


Do an exception filter:

pass tcp any any -> any any
pass udp any any -> any any
pass icmp any any -> any  any
log ip any any -> any any

For non-IP/ARP protocols, you need to write something into Snort to even
decode them in the first place.  You could just write a shim into the
Ethernet (or other layer 2) decoder and have it log all non-decodable (i.e.
non-IP) protocols....

     -Marty


On 3/4/02 10:48 AM, "John Sage" <jsage at ...2022...> wrote:

> umm..
> 
> ..I think you may need to read "Chapter 2 - Writing Snort Rules
> How to Write Snort Rules and Keep Your Sanity"
> 
> 
> "2.2.2  Protocols
> 
> The next field in a rule is the protocol. There are four Protocols
> that Snort currently analyzes for suspicious behavior - tcp, udp,
> icmp, and ip.
> 
> In the future there may be more, such as ARP, IGRP,
> GRE, OSPF, RIP, IPX, etc."
> 
> IP is, of course, the glue for the other 3: tcp udp and icmp
> 
> But I think you may need to wait a while for the others, apparently.
> 
> 
> Running under Linux, at least, I do have these *ipchains* rules:
> 
> # test for igmp packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 2 -d $extip -j DENY -l
> # rule 6
> # test for GRE/pptp packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 47 -d $extip -j DENY -l
> # rule 7
> # test for SIPP-ESP packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l
> # rule 8
> # test for SIPP-AH packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 51 -d $extip -j DENY -l
> # rule 9
> 
> so the Linux kernel does recognize these other protocols.
> 
> I might say that I've seen 2 - igmp - and 50 - SIPP-ESP - only once or twice..
> 
> 
> 
> - John





More information about the Snort-users mailing list