ip_proto

The ip_proto rule option is used to check the IP header protocol field against an IP protocol number or name. Valid protocol numbers and names can be found on the IANA's "Protocol Numbers" page here: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Rule writers can also use the !, <, or > operators to check for IP header protocol numbers that are not equal to, less than, or greater than the specified protocol number or protocol name's corresponding number.

Format:

ip_proto:[!|>|<]{proto_number|proto_name};

Examples:

# Check that the IP protocol field equals IGMP
ip_proto:igmp;
# Check that the IP protocol field does not equal TCP 
ip_proto:!tcp;