[Snort-devel] ascii output's problems
delon.nicolas at ...1042...
Fri Sep 12 23:57:01 EDT 2003
Erek Adams wrote:
> On Sat, 13 Sep 2003, Nicolas Delon wrote:
>>So, if someone attacks a host with a source port lower than the target
>>port, path and filename will be inverted (source ip <=> destination ip,
>>source port <=> destination port).
> There's something you missed.
> Check back up in the code a few lines:
> /* figure out which way this packet is headed in relation to the homenet */
> if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
> if((p->iph->ip_src.s_addr & pv.netmask) != pv.homenet)
You're right, I missed this option...
> If you use '-h 10.42.0.0/24' you don't have the problem. From the man
> -h home-net
> Set the "home network" to home-net. The format of this
> address variable is a network prefix plus a CIDR block,
> such as 192.168.1.0/24. Once this variable is set, all
> decoded packet logging will be done relative to the
> home network address space. This is useful because of
> the way that Snort formats its ASCII log data. With
> this value set to the local network, all decoded output
> will be logged into decode directories with the address
> of the foreign computer as the directory name, which is
> very useful during traffic analysis.
... however, this won't change anything, because 10.42.0.1 and 10.42.0.2
are on the same network, we will also have the problem if an attacker
out of the homenet spoof his IP to a homenet IP and if someone *from*
the homenet attacks internet hosts from lower port than target port.
I think that the only way to solve those problems would be keeping track
of TCP/UDP "connections"/exchange.
"The only way to stop open source is to make it illegal." - Bruce Perens
More information about the Snort-devel