Snort mailing list archives
Re: IP Protocol Rules?
From: Tony Robinson <trobinson () sourcefire com>
Date: Sun, 1 Jul 2012 16:04:33 -0400
IP protocol rules are rules that trigger against IP traffic. In the standard snort rule header, you can specify a rule function [Alert/Pass/Drop], a protocol, [TCP/UDP/ICMP/IP], network or address 1 [address/IPvar], source port [port/icmp code], where the traffic flows [direction], network or address 2 [address/IPvar], destination port [port/icmp code]. IP Protocol rules are simply rules that trigger against rule content with IP chosen as the protocol. If IP is chosen as the protocol you cannot specify a port or an ICMP code. Snort will do content matching against ALL IP packets. The rule header for an IP rule will usually look something like this: alert ip [address 1] any -> [address 2] any [rule content goes here] If you want to see an example of an IP protocol rule, take a look at rule 18997 http://www.snort.org/search/sid/18997?r=1 it's a rule that alerts against IP protocol traffic and has a specific content match. The other use case for IP rules is to block traffic from certain IP addresses when we don't know the content, or more than one type of protocol may be used to communicate. This rules aren't very good performers, but will do in a pinch if you know, say, the ip address of a known CNC server and just want to alert against any traffic going to/from that ip address. sids 20523 and 20524 are examples of this -- blocking known ip addresses for Duqu CNC hosts. Hope this answers the question. -Tony On Fri, Jun 29, 2012 at 6:50 PM, <jorbru30 () comcast net> wrote:
Hi, I am reviewing snort code to seek best ways to optimize/tune snort, and I appreciate any help in understanding "fpEvalIpProtoOnlyRules' function. How do I identify IP protocol only rules? Is every IP packet inspected by "fpEvalIpProtoOnlyRules" ? I appreciate your help. Jorda. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
-- Tony Robinson Security Consultant I SourceFIRE Professional Services Division
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: IP Protocol Rules? Tony Robinson (Jul 01)
- Re: IP Protocol Rules? Joshua Kinard (Jul 01)
- Re: IP Protocol Rules? Livio () metaflows com (Jul 01)
- Re: IP Protocol Rules? Joel Esler (Jul 01)
- Re: IP Protocol Rules? jorbru30 (Jul 02)
- Re: IP Protocol Rules? Joel Esler (Jul 03)
- Re: IP Protocol Rules? Livio () metaflows com (Jul 01)
- Re: IP Protocol Rules? Joshua Kinard (Jul 01)