Rule Options 101 • Loose Source Routing lsrr • Strict Source Routing ssrr For a complete list of IP options see RFC 791 at http:www.rfc-editor.orgrfc rfc791.txt. In Snort rules, the most commonly used options are listed above. These options can be used by some hackers to find information about your network. For exam- ple, loose and strict source routing can help a hacker discover if a particular network path exists or not. Using Snort rules, you can detect such attempts with the ipopts keyword. The fol- lowing rule detects any attempt made using Loose Source Routing: alert ip any any - any any ipopts: lsrr; \ msg: Loose source routing attempt; You can also use a logto keyword to log the messages to a file. However, you can’t specify multiple IP options keywords in one rule.

3.6.16 The ip_proto Keyword

The ip_proto keyword uses IP Proto plug-in to determine protocol number in the IP header. The keyword requires a protocol number as argument. You can also use a name for the protocol if it can be resolved using etcprotocols file. Sample entries in this file look like the following: ax.25 93 AX.25 AX.25 Frames ipip 94 IPIP Yet Another IP encapsulation micp 95 MICP Mobile Internetworking Control Pro. scc-sp 96 SCC-SP Semaphore Communications Sec. Pro. etherip 97 ETHERIP Ethernet-within-IP Encapsulation encap 98 ENCAP Yet Another IP encapsulation 99 any private encryption scheme gmtp 100 GMTP GMTP ifmp 101 IFMP Ipsilon Flow Management Protocol pnni 102 PNNI PNNI over IP The following rule checks if IPIP protocol is being used by data packets: alert ip any any - any any ip_proto: ipip; \ msg: IP-IP tunneling detected; 102 Chapter 3 • Working with Snort Rules The next rule is the same except that it uses protocol number instead of name more efficient. alert ip any any - any any ip_proto: 94; \ msg: IP-IP tunneling detected; Protocol numbers are defined in RFC 1700 at http:www.rfc-editor.orgrfc rfc1700.txt. The latest numbers can be found from the ICANN web site at http: www.icann.org or at IANA web site http:www.iana.org.

3.6.17 The logto Keyword

The logto keyword is used to log packets to a special file. The general syntax is as follows: logto:logto_log Consider the following rule: alert icmp any any - any any logto:logto_log; ttl: 100; This rule will log all ICMP packets having TTL value equal to 100 to file logto_log. A typical logged packet in this file is as follows: [rootconformix] cat logto_log 0703-03:57:56.496845 192.168.1.101 - 192.168.1.2 ICMP TTL:100 TOS:0x0 ID:33822 IpLen:20 DgmLen:60 Type:8 Code:0 ID:768 Seq:9217 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [rootconformix] Information logged in the above example is as follows: • Data and time the packet was logged. • Source IP address is 192.168.1.101. • Destination IP address is 192.168.1.2. • Protocol used in the packet is ICMP. • The TTL Time To Live field value in the IP header is 100. • The TOS Type Of Service field value in IP header is 0. This value shows that this is a normal packet. For details of other TOS values, refer to RFC 791.