[Snort-devel] icmpspoof preprocessor for snort

Chris Green cmg at ...402...
Tue Apr 22 14:54:06 EDT 2003

"John Papapanos" <jpa3nos at ...1264...> writes:

> There is still work to be done and more features to be added for the
> future.
> Please feel free to test it and post me your comments on this and
> don't hesitate to ask me any questions. I'm very interested in your
> feedback.
> The preprocessor's files can also be found at:
>             http://www.epmhs.gr/en/snort/preprocessor_icmpspoof/
Just a few things for general advice:

1) When using globals, unless it truely is global, use the 'static'
keyword to keep it file local.  I know the templates need
updating... :)

2) It seems that you are using global arguments to pass values between
   functions when you could have them as local. If you converted them,
   you could make your code even smaller by collapsing the _DN and _SN

3) Have you thought about implementing this as a call back for
   spp_conversation in much the same way portscan2 is done?

4) Is there any consideration for an attacker generating lots of
spoofed packets?  In the 2 minutes I've spent looking, it doesn't seem
any memory protection mechanims are in place ( like a fixed-size ring
buffer )

5) To detect spoofed packets, perhaps you should allow one mac address
   to be assigned "internal side" and one mac address to be "external
   side" and then alert when you see traffic from one side to another.

Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-devel mailing list