[Emerging-Sigs] 1620 / 2101620

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 11:31:56 EDT 2011


Ya, we should add a negate for udp/17. 

This rule is disabled by default, so many folks may not be seeing hits. It's probably most useful on a VERY locked down net. Performance may be spotty on snort as there isn't a content match.

I'll add !17 but keep it disabled. Thanks Victor!

Matt

On Oct 23, 2011, at 11:31 AM, Victor Julien wrote:

> Maybe I'm missing something about how Snort does ip_proto matching, but
> in Suricata enabling sid 1620 / 2101620 matches on UDP traffic. I know
> the sig is disabled by default, it still looks like it's missing
> "ip_proto:!17;" to me.
> 
> Sid looks like this:
> #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC
> Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47;
> ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89;
> classtype:non-standard-protocol; sid:2101620; rev:6;)
> 
> Thoughts?
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list