The ip_proto Snort option allows Snort rules to be restricted to any of the possible 256 values in the protocol field within the IP header; these values are defined within the /etc/protocols file. This does not necessarily imply that Snort has special decoding capability for arbitrary Internet protocols such as, say, IP 119 (SRP, SpectraLink Radio Protocol) or IP 132 (SCTP, Stream Control Transmission Protocol); it simply means that Snort can apply application payload checks to packet data that is past the IP header for those packets that match the IP number. The Snort ip_proto option is supported in iptables with the -p protocol argument, and similarly to Snort, iptables accepts the protocol numeric value or the complete protocol name listed in /etc/protocols.
Like many other Snort options, ip_proto allows negation and ranges via the ! , <, and > operators. In addition, Snort supports multiple ip_proto options within the same rule (e.g., ip_proto: !1; ip_proto: !2;). Protocol negation is also supported by iptables with the ! operator, but protocol ranges and multiple protocols within a single rule are not supported. For reference, a complete listing of all currently assigned IP numbers can be obtained from http:// www.iana.org/assignments/protocol-numbers.
An example command designed to have iptables log all General Routing Encapsulation (GRE) packets, which are transmitted over IP 47, appears below:
[iptablesfw]# iptables -A INPUT -p 47 -j LOG --log-prefix "GRE PACKET "
Was this article helpful?