[Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM

Gregory S Thomas greg.thomas at ...10143...
Thu May 17 15:11:35 EDT 2007

We modify the rule to make it less noisy:


alert ip any any -> !$MULTICAST_NET any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:4;)

Here's the line in oinkmaster.conf that performs the modification:

modifysid 2189 "->\s*any" | "-> !\$MULTICAST_NET"


-- greg

---------- Original Message ----------
Subject: [Snort-users] non-standard-protocol : BAD-TRAFFIC IP Proto 103 PIM
Date: Thu, 17 May 2007 04:21:56 -0700
From: "David Ryan" <David.Ryan at ...13912...>
To: <snort-users at lists.sourceforge.net>

Hi all, 

I am seeing loads (like 90% of all events) of these events showing up on 
one of my Snort sensors.  I have looked at the description here - 
_http://www.snort.org/pub-bin/sigs.cgi?sid=2189_ - and I looked at the 
rule definition and it appears to match simply on the existence of IP 
protocol 103 as distinct from any payload within it. 

I see the traffic coming from two known Cisco routers on the subnet I'm 
monitoring and the traffic is destined for which is the 
multicast address for PIM - 
_http://www.networksorcery.com/enp/protocol/pim.htm_  I have also I have 
seen it on other sites and subnets on the network I am monitoring, so I 
guess whatever function is causing this traffic to originate from the 
router is used across the organisation. 

In order to make the output from snort a little more readable (and 
because it is matching on the protocol and not the payload) I have 
disabled this rule.  I know the protocol in question is a 
routing-related protocol, but does anyone have any views or explanation 
on the normal use of this protocol ? 



David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan at ...14057...
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108

More information about the Snort-users mailing list