Re: IP Protocol Rules?

[jorbru30 () comcast net]

Thank you very much everyone for the detailed response. 
I am trying to understand snort performance details for a school project. 
Thanks! 
Jorda. 
----- Original Message -----
From: "Joel Esler" <jesler () sourcefire com> 
To: "Livio () metaflows com" <livio () metaflows com> 
Cc: snort-devel () lists sourceforge net 
Sent: Sunday, July 1, 2012 3:30:13 PM 
Subject: Re: [Snort-devel] IP Protocol Rules? 


IP rules are evaluated against all protocols. If you can specify tcp or udp, that's obviously the better idea. People 
insist on writing IP rules, but as someone else in this thread already pointed out, these rules are bad performers. 


What are you trying to accomplish? 



-- 
Joel Esler 



On Sunday, July 1, 2012 at 6:01 PM, Livio () metaflows com wrote: 



I woul talk to silicom. They are cheaper 82599s and come with a prepaid dna license. You can't go wrong.. 
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity. 


Joshua Kinard < kumba () gentoo org > wrote: 
<blockquote>

On 07/01/2012 4:04 PM, Tony Robinson wrote: 
> IP protocol rules are rules that trigger against IP traffic. In the 
> standard snort rule header, you can specify a rule function 
> [Alert/Pass/Drop], a protocol, [TCP/UDP/ICMP/IP], network or address 1 
> [address/IPvar], source port [port/icmp code], where the traffic flows 
> [direction], network or address 2 [address/IPvar], destination port 
> [port/icmp code]. 
>
> IP Protocol rules are simply rules that trigger against rule content with 
> IP chosen as the protocol. If IP is chosen as the protocol you cannot 
> specify a port or an ICMP code. Snort will do content matching against ALL 
> IP packets. The rule header for an IP rule will usually look something like 
> this: 
>
>
> alert ip [address 1] any -> [address 2] any [rule content
goes here] 
> If you want to see an example of an IP protocol rule, take a look at rule 
> 18997 
>
> http://www.snort.org/search/sid/18997?r=1 
>
> it's a rule that alerts against IP protocol traffic and has a specific 
> content match. The other use case for IP rules is to block traffic from 
> certain IP addresses when we don't know the content, or more than one type 
> of protocol may be used to communicate. This rules aren't very good 
> performers, but will do in a pinch if you know, say, the ip address of a 
> known CNC server and just want to alert against any traffic going to/from 
> that ip address. 
>
> sids 20523 and 20524 are examples of this -- blocking known ip addresses 
> for Duqu CNC hosts. 
>
> Hope this answers the question. 
>
> -Tony 

I'll add
that IP protocol rules also make use of the "ip_proto" keyword. 
You usually want to put this keyword into any "alert ip" rule, as Snort's 
fast-pattern matcher will use the protocol number as the "destination port" 
to prime the fp algorithm to quickly judge which packets to keep for further 
inspection. 

I.e., if you wanted to alert on SCTP traffic containing the string "foobar": 
alert ip any any -> any any (msg:"SCTP Traffic"; ip_proto:132; 
content:"foobar"; nocase; sid:123456789; rev:1; classtype:misc-activity;) 

You have to be VERY careful with IP proto rules.  They can quickly bring 
Snort to its knees if used incorrectly. 

-- 
Joshua Kinard 
Gentoo/MIPS 
kumba () gentoo org 
4096R/D25D95E3 2011-03-28 

"The past tempts us, the present confuses us, the future frightens us.  And 
our lives slip away, moment by moment, lost in that vast, terrible in-between." 

--Emperor Turhan,
Centauri Republic 





Live Security Virtual Conference 
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263 / 

Snort-devel mailing list 
Snort-devel () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-devel 

Please visit http://blog.snort.org for the latest news about Snort! 



------------------------------------------------------------------------------ 
Live Security Virtual Conference 
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 

_______________________________________________ 
Snort-devel mailing list 
Snort-devel () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-devel 


Please visit http://blog.snort.org for the latest news about Snort! 
</blockquote>



------------------------------------------------------------------------------ 
Live Security Virtual Conference 
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
_______________________________________________ 
Snort-devel mailing list 
Snort-devel () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-devel 

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!