102
Chapter 3 Working with Snort Rules
The next rule is the same except that it uses protocol number instead of name
(more efficient).
alert ip any any > any any (ip_proto: 94; \
msg: "IP IP tunneling detected";)
Protocol numbers are defined in RFC 1700 at http://www.rfc editor.org/rfc/
rfc1700.txt. The latest numbers can be found from the ICANN web site at http://
www.icann.org or at IANA web site http://www.iana.org.
3.6.17 The logto Keyword
The logto keyword is used to log packets to a special file. The general syntax is as
follows:
logto:logto_log
Consider the following rule:
alert icmp any any > any any (logto:logto_log; ttl: 100;)
This rule will log all ICMP packets having TTL value equal to 100 to file
logto_log. A typical logged packet in this file is as follows:
[root@conformix]# cat logto_log
07/03 03:57:56.496845 192.168.1.101 > 192.168.1.2
ICMP TTL:100 TOS:0x0 ID:33822 IpLen:20 DgmLen:60
Type:8 Code:0 ID:768 Seq:9217 ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70
abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69
qrstuvwabcdefghi
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[root@conformix]#
Information logged in the above example is as follows:
Data and time the packet was logged.
Source IP address is 192.168.1.101.
Destination IP address is 192.168.1.2.
Protocol used in the packet is ICMP.
The TTL (Time To Live) field value in the IP header is 100.
The TOS (Type Of Service) field value in IP header is 0. This value shows that
this is a normal packet. For details of other TOS values, refer to RFC 791.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved