Snort mailing list archives
Re: GRE Rule
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Dec 2011 09:01:46 -0500
You need to compiled with --enable-gre into Snort, which, depending on Snort version, may be on by default (>=2.9.1). However, you write your rule how you normally would "alert tcp...." and the Snort decoder takes care of decoding GRE for you. Looks like we need to update the Snort Manual. J On Dec 4, 2011, at 5:31 PM, PS wrote:
This was taken from the 2.9 manual "3.2.2 Protocols The next field in a rule is the protocol. There are four protocols that Snort currently analyzes for suspicious behavior – TCP, UDP, ICMP, and IP. In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc. " But I do see online where it says that snort does have a GRE decoder and that it has to be enabled when compiling. I'm not sure what the difference is. On Dec 4, 2011, at 5:09 PM, Dina Bruzek <dbruzek () sourcefire com> wrote:I believe GRE is supported. Dina Sent from my iPhone On Dec 4, 2011, at 4:56 PM, vmpc vmpc <packetstack () gmail com> wrote:I want to create a rule that would block anyone trying to connect to my PPTP server after being denied access once. I will be doing this using snortsam. Since the packet that contains the "Access denied" message is sent back to the PPTP client using the GRE protocol, does that mean that I can't create a rule that will alert on that packet? My understanding is that GRE is not supported at this time. Would it be possible for me to create a general rule that would look at the entire packet and just try to be very specific when it comes to content matching in order to get a match? Thanks! ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- GRE Rule vmpc vmpc (Dec 04)
- Re: GRE Rule Dina Bruzek (Dec 05)
- Re: GRE Rule PS (Dec 04)
- Re: GRE Rule Joel Esler (Dec 05)
- Re: GRE Rule PS (Dec 04)
- Re: GRE Rule Bad Horse (Dec 06)
- Re: GRE Rule Dina Bruzek (Dec 05)