Snort mailing list archives
Re: Doubt about non TCP/IP packets
From: Jeremy Hoel <jthoel () gmail com>
Date: Mon, 12 Aug 2013 13:54:13 -0600
You should be able to write rules looking for byte options. Can you filter the traffic you are looking for with BPF type statements? It's still IP based traffic or something else? IE: something like this.. alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt"; ip_proto:132; content:"|C0 00|"; depth:2; offset:12; byte_test:2,>,500,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,33113; reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:4;) there's just hex content at a byte value. Just an idea.. I don't know if it would work for your data. On Mon, Aug 12, 2013 at 4:31 AM, Marcos Lois Bermúdez <marcos.lois () gmail com> wrote:
Hi, I'm really a newbie with snort, after some reading i have some clear ideo of how snrot works, and generate events in unified2 format that can transfered to a central database. After read the unified2 binary format, barnyard2 database shema and Snort rules, how can i create rules for non TCP/IP traffic. I have traffic captured from PLC that can encapsulate IP trafic but also other protocols. Can i write rules usinf RAW packets? How this RAW packets content is generated on unified2? Do i need to implement some kind of plugin for Snort? Regards. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Doubt about non TCP/IP packets Marcos Lois Bermúdez (Aug 12)
- Re: Doubt about non TCP/IP packets Jeremy Hoel (Aug 12)