[Snort-users] Rule help

Joel Esler eslerj at ...11827...
Tue Dec 23 17:49:32 EST 2008


ip means, tcp, udp, icmp, ip, igmp, eigrp..etc..

ip means everything.  Thusly it's not port bound and can't be.

J

On Dec 23, 2008, at 3:50 PM, Jefferson, Shawn allegedly wrote:

> I guess I misunderstand what "ip" refers to.  I assumed it meant  
> "tcp AND udp", and ports would be valid with both.  Oops.
>
> -----Original Message-----
> From: Jack Pepper [mailto:pepperjack at ...14319...]
> Sent: December 23, 2008 12:40 PM
> To: Jefferson, Shawn
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rule help
>
> Quoting "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>:
>
>> Is this in the docs anywhere? I've got the rule writing section in
>> front of me and didn't see that in the protocol section.  That would
>> have been nice to know up front. :)
>>
>
> the "oddity" isn't that snort rule syntax ignores port numbers on IP.
> That's part of the IP protocol.  the "oddity" IMO is that snort does
> not escalate a syntax error on IP protocol if the port is anthing
> other than "any".
>
> jp
>
>
> -- 
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://www.joelesler.net
[m]





More information about the Snort-users mailing list