Snort mailing list archives
Re: Logging non tcp/udp/icmp packets
From: John Sage <jsage () finchhaven com>
Date: Mon, 4 Mar 2002 07:48:39 -0800
umm.. ..I think you may need to read "Chapter 2 - Writing Snort Rules How to Write Snort Rules and Keep Your Sanity" "2.2.2 Protocols The next field in a rule is the protocol. There are four Protocols that Snort currently analyzes for suspicious behavior - tcp, udp, icmp, and ip. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc." IP is, of course, the glue for the other 3: tcp udp and icmp But I think you may need to wait a while for the others, apparently. Running under Linux, at least, I do have these *ipchains* rules: # test for igmp packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 2 -d $extip -j DENY -l # rule 6 # test for GRE/pptp packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 47 -d $extip -j DENY -l # rule 7 # test for SIPP-ESP packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l # rule 8 # test for SIPP-AH packets /sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 51 -d $extip -j DENY -l # rule 9 so the Linux kernel does recognize these other protocols. I might say that I've seen 2 - igmp - and 50 - SIPP-ESP - only once or twice.. - John -- Most people don't type their own logfiles; but, what do I care? On Mon, Mar 04, 2002 at 03:30:14PM +0530, Sonika Malhotra wrote:
I would also like to know if this "[!tcp || !udp || !icmp] " works for port numbers also. ie log any any -> $HOME_NET [!25 && !53] (msg:"unknown traffic";) thanx sm "Thomas Porter, Ph.D." wrote:I'd like to log all non tcp/udp/icmp packets inbound or outbound. What's the right syntax for the rule below? Thanks # Logging uncommon protocols log [!tcp || !udp || !icmp] $EXTERNAL_NET any <> $HOME_NET any (msg: "Unknown Protocol";session: printable;)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging non tcp/udp/icmp packets Thomas Porter, Ph.D. (Mar 01)
- Re: Logging non tcp/udp/icmp packets Sonika Malhotra (Mar 04)
- Re: Logging non tcp/udp/icmp packets John Sage (Mar 04)
- Re: Logging non tcp/udp/icmp packets Martin Roesch (Mar 04)
- Re: Logging non tcp/udp/icmp packets John Sage (Mar 04)
- Re: Logging non tcp/udp/icmp packets Sonika Malhotra (Mar 04)