|
Unknown IP protocol |
|
|
|
| FAQ | |||
|
|
SummaryAn unusual "IP protocol" was seen. This is something unusual that has a number of possible causes.
Details
All network traffic on the Internet is carried within IP packets. The transmission using IP packets is controlled by a "transport protocol". For example, web-surfing (HTTP) and e-mail (POP3, SMTP) applications use the TCP protocol to control the transmission (TCP = Transmission Control Protocol).
Since TCP isn't appropriate for all applications, other protocols are sometimes used. UDP is better suited for multimedia applications, and ICMP is suited to network diagnostics.
HTTP POP3 SMTP RealAudio DNS Ping traceroute TCP UDP ICMP ... IP TCP, UDP, and ICMP are the most common control protocols used with IP. There are a few other well-known ones as well. This alert is triggered when our product sees an IP protocol that is not known or unusual.
False Positives
Some of the protocols are listed as "unknown" by the intrusion detection system simply because they are "unusual" or "suspicious". There are legitimate reasons to use these protocols, however. Therefore, this alert should be considered as a notification that something abnormal is going on.
In many cases, you will want to stop receiving this alert for the one peculiar protocol being used in your environment. You can edit the file "sigs.ini" in order to avoid seeing this alert in the future. For example, if the protocol in question is number 71, then you can add the line:
ip.protocol.71 = onThis will avoid all further alerts from protocol 71.You can figure out what protocol is being used looking in the URL of this webpage.
| more information |
|
| ||||
| |||||
Version appeared: