[Snort-users] Cisco Proprietary Protocol and Snort

Al Lewis (allewi) allewi at ...589...
Tue Jan 27 06:05:12 EST 2015

Can you provide a sample of the traffic?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Jutichai Thongkrachai [mailto:thsecmaniac at ...11827...]
Sent: Monday, January 26, 2015 11:46 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Cisco Proprietary Protocol and Snort

My Snort keep telling me that it detect "snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol" (Sid:450,Gid:116) hourly which come from my Cisco Switch send Multicast Packet to the Network with its proprietary PIM protocol (sparse-dense-mode).
I'm curious that my Snort cannot decode Cisco PIM Protocol. So,it detect as
"WARNING: BAD-TRAFFIC Bad IP protocol" Is it possible?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150127/34f41882/attachment.html>

More information about the Snort-users mailing list