Rule Options
101
  Loose Source Routing (lsrr)
  Strict Source Routing (ssrr)
For a complete list of IP options see RFC 791 at http://www.rfc editor.org/rfc/
rfc791.txt.  In Snort rules, the most commonly used options are listed above. These
options can be used by some hackers to find information about your network. For exam 
ple, loose and strict source routing can help a hacker discover if a particular network
path exists or not.
Using Snort rules, you can detect such attempts with the ipopts keyword. The fol 
lowing rule detects any attempt made using Loose Source Routing:
alert ip any any  > any any (ipopts: lsrr; \
   msg: "Loose source routing attempt";)
 You can also use a logto keyword to log the messages to a file. However, you
can't specify multiple IP options keywords in one rule.
3.6.16 The ip_proto Keyword
The ip_proto keyword uses IP Proto plug in to determine protocol number in the
IP header. The keyword requires a protocol number as argument. You can also use a
name for the protocol if it can be resolved using /etc/protocols file. Sample
entries in this file look like the following:
ax.25   93      AX.25           # AX.25 Frames
ipip    94      IPIP            # Yet Another IP encapsulation
micp    95      MICP            # Mobile Internetworking 
Control Pro.
scc sp  96      SCC SP          # Semaphore Communications 
Sec. Pro.
etherip 97      ETHERIP         # Ethernet within IP 
Encapsulation
encap   98      ENCAP           # Yet Another IP encapsulation
#       99                      # any private encryption 
scheme
gmtp    100     GMTP            # GMTP
ifmp    101     IFMP            # Ipsilon Flow Management 
Protocol
pnni    102     PNNI            # PNNI over IP
The following rule checks if IPIP protocol is being used by data packets:
alert ip any any  > any any (ip_proto: ipip; \
   msg: "IP IP tunneling detected";)






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved