Snort mailing list archives
Re: Logging non tcp/udp/icmp packets
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 04 Mar 2002 11:42:36 -0500
Do an exception filter:
pass tcp any any -> any any
pass udp any any -> any any
pass icmp any any -> any any
log ip any any -> any any
For non-IP/ARP protocols, you need to write something into Snort to even
decode them in the first place. You could just write a shim into the
Ethernet (or other layer 2) decoder and have it log all non-decodable (i.e.
non-IP) protocols....
-Marty
On 3/4/02 10:48 AM, "John Sage" <jsage () finchhaven com> wrote:
umm.. ..I think you may need to read "Chapter 2 - Writing Snort Rules How to Write Snort Rules and Keep Your Sanity" "2.2.2 Protocols The next field in a rule is the protocol. There are four Protocols that Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc." IP is, of course, the glue for the other 3: tcp udp and icmp But I think you may need to wait a while for the others, apparently. Running under Linux, at least, I do have these *ipchains* rules: # test for igmp packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 2 -d $extip -j DENY -l # rule 6 # test for GRE/pptp packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 47 -d $extip -j DENY -l # rule 7 # test for SIPP-ESP packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l # rule 8 # test for SIPP-AH packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 51 -d $extip -j DENY -l # rule 9 so the Linux kernel does recognize these other protocols. I might say that I've seen 2 - igmp - and 50 - SIPP-ESP - only once or twice.. - John
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging non tcp/udp/icmp packets Thomas Porter, Ph.D. (Mar 01)
- Re: Logging non tcp/udp/icmp packets Sonika Malhotra (Mar 04)
- Re: Logging non tcp/udp/icmp packets John Sage (Mar 04)
- Re: Logging non tcp/udp/icmp packets Martin Roesch (Mar 04)
- Re: Logging non tcp/udp/icmp packets John Sage (Mar 04)
- Re: Logging non tcp/udp/icmp packets Sonika Malhotra (Mar 04)