Rule Options

101

  Loose Source Routing (lsrr)

  Strict Source Routing (ssrr)

For a complete list of IP options see RFC 791 at http://www.rfc editor.org/rfc/

rfc791.txt.  In Snort rules, the most commonly used options are listed above. These

options can be used by some hackers to find information about your network. For exam 

ple, loose and strict source routing can help a hacker discover if a particular network

path exists or not.

Using Snort rules, you can detect such attempts with the ipopts keyword. The fol 

lowing rule detects any attempt made using Loose Source Routing:

alert ip any any  > any any (ipopts: lsrr; \

   msg: "Loose source routing attempt";)

 You can also use a logto keyword to log the messages to a file. However, you

can't specify multiple IP options keywords in one rule.

3.6.16 The ip_proto Keyword

The ip_proto keyword uses IP Proto plug in to determine protocol number in the

IP header. The keyword requires a protocol number as argument. You can also use a

name for the protocol if it can be resolved using /etc/protocols file. Sample

entries in this file look like the following:

ax.25   93      AX.25           # AX.25 Frames

ipip    94      IPIP            # Yet Another IP encapsulation

micp    95      MICP            # Mobile Internetworking 

Control Pro.

scc sp  96      SCC SP          # Semaphore Communications 

Sec. Pro.

etherip 97      ETHERIP         # Ethernet within IP 

Encapsulation

encap   98      ENCAP           # Yet Another IP encapsulation

#       99                      # any private encryption 

scheme

gmtp    100     GMTP            # GMTP

ifmp    101     IFMP            # Ipsilon Flow Management 

Protocol

pnni    102     PNNI            # PNNI over IP

The following rule checks if IPIP protocol is being used by data packets:

alert ip any any  > any any (ip_proto: ipip; \

   msg: "IP IP tunneling detected";)