[Emerging-Sigs] 1620 / 2101620

Victor Julien lists at inliniac.net
Sun Oct 23 11:31:31 EDT 2011


Maybe I'm missing something about how Snort does ip_proto matching, but
in Suricata enabling sid 1620 / 2101620 matches on UDP traffic. I know
the sig is disabled by default, it still looks like it's missing
"ip_proto:!17;" to me.

Sid looks like this:
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC
Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47;
ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89;
classtype:non-standard-protocol; sid:2101620; rev:6;)

Thoughts?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Emerging-sigs mailing list