[Snort-users] Logging non tcp/udp/icmp packets
roesch at ...1935...
Mon Mar 4 08:43:15 EST 2002
Do an exception filter:
pass tcp any any -> any any
pass udp any any -> any any
pass icmp any any -> any any
log ip any any -> any any
For non-IP/ARP protocols, you need to write something into Snort to even
decode them in the first place. You could just write a shim into the
Ethernet (or other layer 2) decoder and have it log all non-decodable (i.e.
On 3/4/02 10:48 AM, "John Sage" <jsage at ...2022...> wrote:
> ..I think you may need to read "Chapter 2 - Writing Snort Rules
> How to Write Snort Rules and Keep Your Sanity"
> "2.2.2 Protocols
> The next field in a rule is the protocol. There are four Protocols
> that Snort currently analyzes for suspicious behavior - tcp, udp,
> icmp, and ip.
> In the future there may be more, such as ARP, IGRP,
> GRE, OSPF, RIP, IPX, etc."
> IP is, of course, the glue for the other 3: tcp udp and icmp
> But I think you may need to wait a while for the others, apparently.
> Running under Linux, at least, I do have these *ipchains* rules:
> # test for igmp packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 2 -d $extip -j DENY -l
> # rule 6
> # test for GRE/pptp packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 47 -d $extip -j DENY -l
> # rule 7
> # test for SIPP-ESP packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l
> # rule 8
> # test for SIPP-AH packets
> /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 51 -d $extip -j DENY -l
> # rule 9
> so the Linux kernel does recognize these other protocols.
> I might say that I've seen 2 - igmp - and 50 - SIPP-ESP - only once or twice..
> - John
More information about the Snort-users