Re: Doubt about non TCP/IP packets

[Jeremy Hoel <jthoel () gmail com>]

You should be able to write rules looking for byte options.  Can you
filter the traffic you are looking for with BPF type statements?  It's
still IP based traffic or something else?

IE: something like this..
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux SCTP
malformed forward-tsn chunk arbitrary code execution attempt";
ip_proto:132; content:"|C0 00|"; depth:2; offset:12;
byte_test:2,>,500,0,relative,big; metadata:policy balanced-ips drop,
policy security-ips drop; reference:bugtraq,33113;
reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:4;)

there's just hex content at a byte value.


Just an idea.. I don't know if it would work for your data.

On Mon, Aug 12, 2013 at 4:31 AM, Marcos Lois Bermúdez
<marcos.lois () gmail com> wrote:
> Hi,
>
> I'm really a newbie with snort, after some reading i have some clear ideo of
> how snrot works, and generate events in unified2 format that can transfered
> to a central database.
>
> After read the unified2 binary format, barnyard2 database shema and Snort
> rules, how can i create rules for non TCP/IP traffic.
>
> I have traffic captured from PLC that can encapsulate IP trafic but also
> other protocols.
>
> Can i write rules usinf RAW packets?
> How this RAW packets content is generated on unified2?
> Do i need to implement some kind of plugin for Snort?
>
> Regards.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!