Re: Snort rule syntax to match multiple itypes that are NOT consecutive

["ab1197590 () gmail com" <ab1197590 () gmail com>]

Thanks Alex,

I was using two seperate rules, but I thought there might have been
another way. I am glad that you were able to confirm this was not the
case.

Maybe this is something that can appear on the wishlist for a future
version of Snort?

Thanks again.

On Tue, Jan 25, 2011 at 2:11 PM, Alex Kirk <akirk () sourcefire com> wrote:
> Looking at PraseIcmpType in src/detection-plugins/sp_icmp_type_check.c, no,
> it can't be done. The only possibilities are a single value, a value greater
> or less than a specified digit, or a consecutive range.
> It's not going to make much difference to have two distinct rules, so just
> go ahead and do that.
>
> On Fri, Jan 21, 2011 at 7:54 PM, ab1197590 () gmail com <ab1197590 () gmail com>
> wrote:
> > Hello list,
> >
> > I was trying to make a snort rule in which one could match multiple
> > ICMP types that are _not_ consecutive. For example ICMP echo requests
> > or replies between two IPs (e.g: 10.10.10.101 and 10.10.10.100).
> >
> > I have tried too syntaxs which did not work.
> >
> > 1) Tried specifying two itype fields, but this was invalid.
> > 2) Tried putting a space in between the numbers 0 and 8 to denote Echo
> > Requests and Echo Replies.
> >
> >
> > So can this be done?
> >
> >
> > > From the Snort manual:
> >
> > 3.6.14 itype
> > The itype keyword is used to check for a specific ICMP type value.
> > Format
> >    itype:[<|>]<number>[<><number>];
> > Example
> > This example looks for an ICMP type greater than 30.
> >    itype:>30;
> > 3.6.15 icode
> > The icode keyword is used to check for a specific ICMP code value.
> > Format
> >    icode: [<|>]<number>[<><number>];
> > Example
> > This example looks for an ICMP code greater than 30.
> >    code:>30;
> >
> >
> > Any help would be much appreciated.
> >
> > Thanks.
> >
> >
> > ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better
> > price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk () sourcefire com

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users