[Snort-devel] icmpspoof preprocessor for snort

John Papapanos jpa3nos at ...1264...
Wed Apr 23 02:28:05 EDT 2003

----- Original Message -----
From: "Chris Green" <cmg at ...402...>
To: "John Papapanos" <jpa3nos at ...1264...>
Cc: <Snort-devel at lists.sourceforge.net>
Sent: Wednesday, April 23, 2003 12:52 AM
Subject: Re: [Snort-devel] icmpspoof preprocessor for snort

> Just a few things for general advice:
> 1) When using globals, unless it truely is global, use the 'static'
> keyword to keep it file local.  I know the templates need
> updating... :)

Couldn't agree more, my code needs a lot of fixing.

> 2) It seems that you are using global arguments to pass values between
>    functions when you could have them as local. If you converted them,
>    you could make your code even smaller by collapsing the _DN and _SN
>    code.

The _DN and _SN functions are mostly the same but DN and SN structs are
using different pointers and other fields.So i needed to write a slightly
different code to
implement each one. (Hope I undertood what you meant)

> 3) Have you thought about implementing this as a call back for
>    spp_conversation in much the same way portscan2 is done?

No i havent thought of that. When i started writing this preproc the
portscan2 wasnt there.
I'll look into it. Do you think it is a better solution?

> 4) Is there any consideration for an attacker generating lots of
> spoofed packets?  In the 2 minutes I've spent looking, it doesn't seem
> any memory protection mechanims are in place ( like a fixed-size ring
> buffer )

Very good point. Its on the top of my TO DO list.
The only protection mechanism for this is that i check my lists before i
make any new
insertion or before i search them to find a matching Request. If the nodes
inside the list have
a time field less than than the threshold time, then these nodes are
deleted. A problem could exist
if the attacker sends too many packets within the Timeout limit.(default 3

> 5) To detect spoofed packets, perhaps you should allow one mac address
>    to be assigned "internal side" and one mac address to be "external
>    side" and then alert when you see traffic from one side to another.

If i'm getting it right this would detect only spoofed packets passing
through snort.
In this preproc if someone outside the protected net sends a spoofed Request
to another outside
host spoofing the address of an inside host, then the Reply(not spoofed)
that will be sent to the protected net will
pass through Snort and will generate an alert because no Request was stored
in my lists for this Reply.The same is
happening with the Unreachable messages.

I will send you some snapshots of how the lists in the preproc look like, so
it would be easier
for someone to look into the code.

I know im not much of a programmer and my code needs a lot of fixing,
but i think this preproc could be evolved into something usefull.

Thanks for your comments-advices.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Snapshots.zip
Type: application/x-zip-compressed
Size: 94004 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030423/76d8f338/attachment.bin>

More information about the Snort-devel mailing list