The itype Keyword Rule Options
3.6.16 The ip_proto Keyword
The ip_proto keyword uses IP Proto plug-in to determine protocol number in the IP header. The keyword requires a protocol number as argument. You can also use a name for the protocol if it can be resolved using etcprotocols file. Sample entries in this file look like the following: ax.25 93 AX.25 AX.25 Frames ipip 94 IPIP Yet Another IP encapsulation micp 95 MICP Mobile Internetworking Control Pro. scc-sp 96 SCC-SP Semaphore Communications Sec. Pro. etherip 97 ETHERIP Ethernet-within-IP Encapsulation encap 98 ENCAP Yet Another IP encapsulation 99 any private encryption scheme gmtp 100 GMTP GMTP ifmp 101 IFMP Ipsilon Flow Management Protocol pnni 102 PNNI PNNI over IP The following rule checks if IPIP protocol is being used by data packets: alert ip any any - any any ip_proto: ipip; \ msg: IP-IP tunneling detected; 102 Chapter 3 • Working with Snort Rules The next rule is the same except that it uses protocol number instead of name more efficient. alert ip any any - any any ip_proto: 94; \ msg: IP-IP tunneling detected; Protocol numbers are defined in RFC 1700 at http:www.rfc-editor.orgrfc rfc1700.txt. The latest numbers can be found from the ICANN web site at http: www.icann.org or at IANA web site http:www.iana.org.3.6.17 The logto Keyword
The logto keyword is used to log packets to a special file. The general syntax is as follows: logto:logto_log Consider the following rule: alert icmp any any - any any logto:logto_log; ttl: 100; This rule will log all ICMP packets having TTL value equal to 100 to file logto_log. A typical logged packet in this file is as follows: [rootconformix] cat logto_log 0703-03:57:56.496845 192.168.1.101 - 192.168.1.2 ICMP TTL:100 TOS:0x0 ID:33822 IpLen:20 DgmLen:60 Type:8 Code:0 ID:768 Seq:9217 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [rootconformix] Information logged in the above example is as follows: • Data and time the packet was logged. • Source IP address is 192.168.1.101. • Destination IP address is 192.168.1.2. • Protocol used in the packet is ICMP. • The TTL Time To Live field value in the IP header is 100. • The TOS Type Of Service field value in IP header is 0. This value shows that this is a normal packet. For details of other TOS values, refer to RFC 791.Parts
» Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Logs False Alarms Some Definitions
» Where IDS Should be Placed in Network Topology
» Honey Pots What is Intrusion Detection?
» Security Zones and Levels of Trust
» IDS Policy Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Packet Decoder Preprocessors Components of Snort
» The Detection Engine Components of Snort
» Dealing with Switches Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» TCP Stream Follow Up Supported Platforms
» Snort on Stealth Interface Snort with no IP Address Interface
» References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Test Installation Snort Installation Scenarios
» Single Sensor Production IDS
» Multiple Snort Sensors with Centralized Database
» Download Install Installing Snort from the RPM Package
» Unpacking Installing Snort from Source Code
» Running the configure script. Running the
» Running the make install command.
» Create or copy the Snort configuration file in
» Create a directory After Installation Processes
» Generating Test Alerts Testing Snort
» Generating Test Alerts with Automatic Snort Startup
» Errors While Starting Snort Running Snort on a Non-Default Interface
» Automatic Startup and Shutdown
» Running Snort on Multiple Network Interfaces
» Logging Snort Data in Text Format
» Logging Snort in Binary Format
» Network Intrusion Detection Mode
» UNIX Socket Mode Snort Alert Modes
» Running Snort in Stealth Mode
» TCPIP Network Layers Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» CIDR Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» User Defined Actions Rule Actions
» Well-Known Port Numbers Port Number
» The ack Keyword The classtype Keyword
» The content Keyword Rule Options
» The offset Keyword Rule Options
» The depth Keyword The content-list Keyword
» The dsize Keyword Rule Options
» The flags Keyword Rule Options
» The fragbits Keyword Rule Options
» The itype Keyword Rule Options
» The icode Keyword Rule Options
» The id Keyword The ipopts Keyword
» The logto Keyword Rule Options
» The reference Keyword Rule Options
» The resp Keyword Rule Options
» The rev Keyword The rpc Keyword
» The session Keyword Rule Options
» The sid Keyword Rule Options
» The tag Keyword Rule Options
» The tos Keyword Rule Options
» The ttl Keyword Rule Options
» The uricontent Keyword Rule Options
» Using a List of Networks in Variables Using Interface Names in Variables
» The config Directives The Snort Configuration File
» Preprocessor Configuration Output Module Configuration
» Include Files The Snort Configuration File
» Order of Rules Based upon Action
» The Simple Method Automatically Updating Snort Rules
» The Sophisticated and Complex Method
» Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» The frag2 Module Preprocessors
» The stream4 Module Preprocessors
» The spade Module Preprocessors
» The alert_syslog Output Module
» The alert_smb Module The log_tcpdump Output Module
» Examples The XML Output Module
» Logging to Databases Output Modules
» CSV Output Module Output Modules
» Unified Logging Output Module SNMP Traps Output Module
» Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Creating Extra Tables Step 5: Creating Tables in the Snort Database
» Secure Logging to Remote Databases Securely Using Stunnel
» Archiving the Database Snort Database Maintenance
» Using Sledge Hammer: Drop the Database
» What is ACID? Installation and Configuration
» Listing Protocol Data Alert Details Searching
» Generating Graphs Archiving Snort Data
» SnortSnarf Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Barnyard References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» IDS Policy Manager Prentice.Hall – Intrusion.Detection.Systems.with.Snort
Show more