Snort mailing list archives
Question: Snort Rule to alert on an "Outer" IP address
From: "LICATO, JAMES J via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 1 Dec 2022 16:54:05 +0000
Hi, I have PCAP files that contain both Inner SIP/DIP IP addresses, as well as, Outer SIP/DIP addresses. Below is a bogus example Snort Rule I wrote, alert tcp any any -> any any (content:"|00 11 22 33 44 55|"; sid=9000001; Rev:1;) ###Bogus for illustration purposes where I am trying to alert on a specific byte pattern. I would like to further restrict this rule to alert only when my Outer SIP IP address is a specific value. Something to the effect, alert tcp 192.168.100.40 any -> any any (content:"|00 11 22 33 44 55|"; sid=9000001; Rev:1;) ###Bogus for illustration purposes I tired this and it is not alerting as expected. It only seems to alert if I use an Inner SIP/DIP values. Any thoughts on what I may be doing wrong and if its even possible for a Snort rule to check an Outer SIP/DIP value? Thank you, Jim-
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Question: Snort Rule to alert on an "Outer" IP address LICATO, JAMES J via Snort-sigs (Dec 05)