Snort mailing list archives

Re: Rule help

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 23 Dec 2008 15:51:28 -0700

Thanks for the info!  You guys have been a great help!

-----Original Message-----
From: Joel Esler [mailto:eslerj () gmail com] 
Sent: December 23, 2008 2:50 PM
To: Jefferson, Shawn
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule help

ip means, tcp, udp, icmp, ip, igmp, eigrp..etc..

ip means everything.  Thusly it's not port bound and can't be.

J

On Dec 23, 2008, at 3:50 PM, Jefferson, Shawn allegedly wrote:

I guess I misunderstand what "ip" refers to.  I assumed it meant  
"tcp AND udp", and ports would be valid with both.  Oops.

-----Original Message-----
From: Jack Pepper [mailto:pepperjack () afferentsecurity com]
Sent: December 23, 2008 12:40 PM
To: Jefferson, Shawn
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule help

Quoting "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>:

Is this in the docs anywhere? I've got the rule writing section in
front of me and didn't see that in the protocol section.  That would
have been nice to know up front. :)


the "oddity" isn't that snort rule syntax ignores port numbers on IP.
That's part of the IP protocol.  the "oddity" IMO is that snort does
not escalate a syntax error on IP protocol if the port is anthing
other than "any".

jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate
http://www.afferentsecurity.com


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
  http://www.joelesler.net
[m]

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
  - Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
  - Re: Rule help Joel Esler (Dec 23)
  - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Jack Pepper (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)
    - Re: Rule help Joel Esler (Dec 23)
    - Re: Rule help Jefferson, Shawn (Dec 23)