Snort mailing list archives
Re: Rule help
From: Joel Esler <eslerj () gmail com>
Date: Tue, 23 Dec 2008 17:49:32 -0500
ip means, tcp, udp, icmp, ip, igmp, eigrp..etc.. ip means everything. Thusly it's not port bound and can't be. J On Dec 23, 2008, at 3:50 PM, Jefferson, Shawn allegedly wrote:
I guess I misunderstand what "ip" refers to. I assumed it meant "tcp AND udp", and ports would be valid with both. Oops. -----Original Message----- From: Jack Pepper [mailto:pepperjack () afferentsecurity com] Sent: December 23, 2008 12:40 PM To: Jefferson, Shawn Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule help Quoting "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>:Is this in the docs anywhere? I've got the rule writing section in front of me and didn't see that in the protocol section. That would have been nice to know up front. :)the "oddity" isn't that snort rule syntax ignores port numbers on IP. That's part of the IP protocol. the "oddity" IMO is that snort does not escalate a syntax error on IP protocol if the port is anthing other than "any". jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://www.joelesler.net [m] ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule help Jefferson, Shawn (Dec 19)
- Re: Rule help Markus Lude (Dec 19)
- Re: Rule help Matt Olney (Dec 19)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Jack Pepper (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Joel Esler (Dec 23)
- Re: Rule help Jefferson, Shawn (Dec 23)
- Re: Rule help Markus Lude (Dec 19)