Snort mailing list archives

Re: Logging non tcp/udp/icmp packets

From: John Sage <jsage () finchhaven com>
Date: Mon, 4 Mar 2002 07:48:39 -0800

umm..

..I think you may need to read "Chapter 2 - Writing Snort Rules
How to Write Snort Rules and Keep Your Sanity"


"2.2.2  Protocols

The next field in a rule is the protocol. There are four Protocols
that Snort currently analyzes for suspicious behavior - tcp, udp,
icmp, and ip.

In the future there may be more, such as ARP, IGRP,
GRE, OSPF, RIP, IPX, etc."

IP is, of course, the glue for the other 3: tcp udp and icmp

But I think you may need to wait a while for the others, apparently.


Running under Linux, at least, I do have these *ipchains* rules:

# test for igmp packets
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 2 -d $extip -j DENY -l
# rule 6
# test for GRE/pptp packets
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 47 -d $extip -j DENY -l
# rule 7
# test for SIPP-ESP packets
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l
# rule 8
# test for SIPP-AH packets
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 51 -d $extip -j DENY -l
# rule 9

so the Linux kernel does recognize these other protocols.

I might say that I've seen 2 - igmp - and 50 - SIPP-ESP - only once or twice..



- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Mon, Mar 04, 2002 at 03:30:14PM +0530, Sonika Malhotra wrote:

I would also like to know if this "[!tcp || !udp || !icmp] " works for port
numbers also.
ie
log any any -> $HOME_NET [!25 && !53] (msg:"unknown traffic";)

thanx
sm

"Thomas Porter, Ph.D." wrote:

I'd like to log all non tcp/udp/icmp packets inbound or outbound. What's
the right syntax for the rule below? Thanks

# Logging uncommon protocols
log [!tcp || !udp || !icmp] $EXTERNAL_NET any <> $HOME_NET any (msg:
"Unknown Protocol";session: printable;)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Logging non tcp/udp/icmp packets Thomas Porter, Ph.D. (Mar 01)
- Re: Logging non tcp/udp/icmp packets Sonika Malhotra (Mar 04)
  - Re: Logging non tcp/udp/icmp packets John Sage (Mar 04)
    - Re: Logging non tcp/udp/icmp packets Martin Roesch (Mar 04)